Learning Cyber History

One year ago today, Fidelity Investments had a cyber event that made history books.

About The Event

Through a third-party that Fidelity utilizes, the third-party suffered a data breach. The attackers created two fraudulent customer accounts through the third-party, slipped past existing security controls, and harvested data on 77,099 people. Exposed information included names, Social Security numbers, driver’s licenses, and personal identifiers. Thankfully, no financial accounts were directly compromised.

After The Breach

Even though a small percentage of customers were impacted, the company had damage to their reputation. Customers had strong concern of how protected their information truly is.

A class action was filed shortly after the breach’s remediations. The lawsuit was created as a result of a, “massive and preventable data breach of Defendant’s inadequately protected computer network.”

The lawsuit was suing Fidelity for 5 million dollars in damages to its victims. Fidelity to this day has not made a public statement on the lawsuit.

To assist the victims of this breach, Fidelity offered 24 months of free identity protection.

Lessons Learned

A year has passed since the incident and a lot of lessons can be learned. Here are some of the takeaways the lab wanted to highlight:

1. Continuous reassessment. A one-time questionnaire doesn’t cut it. Technology changed and it’s important to know how the third-party is integrating new tools and processes.

2. Attack your own supply chain. Pentesting your onboarding vendor integrations to simulate what security risks could have been missed.

3. Don’t over-collect customer data Example: If you only need the last 4 of SSN, do not store the full nine.