Fidelity, the financial services giant, has suffered yet another data breach. This time, attackers accessed an internal database containing images of sensitive customer documents, including driver’s licenses and social security numbers. While the exact details of the attack are still emerging, Fidelity finds itself fighting a class action lawsuit.
What happened: it appears that the attackers exploited a vulnerability in a customer-accessible portal used for uploading verification documents.
But….it’s not the first time. Fidelity has reported multiple breaches in the past year, indicating a systemic issue with their security posture. This latest incident highlights several critical areas where Fidelity’s security controls appear to have failed:
- Inadequate Data Protection
The fact that attackers could access and exfiltrate sensitive customer documents using accounts scoped as average everyday users suggests a failure in basic data protection measures. Encryption, access controls, and data segregation seem to have been either absent or ineffective. - Data Retention Policies
Storing 77,000+ documents in an active database raises serious questions about Fidelity’s data retention policies. It’s highly likely that data is being kept longer than necessary, increasing the risk of exposure in a breach. - Lack of Real-Time Monitoring and Response
The attackers reportedly had access to the database for TWO WHOLE DAYS before being detected. This delay suggests a lack of real-time monitoring and incident response capabilities.
Hindsight is a wonderful thing, but this breach could have been prevented with stronger security measures. Here are some key takeaways for CISOs:
- Implement Robust Access Controls
Strict access controls should be in place to limit who can access sensitive data. This includes strong authentication, authorization, and least privilege principles. - Encrypt Sensitive Data
All sensitive data, both at rest and in transit, should be encrypted. This ensures that even if attackers gain access to the data, they cannot read it without the decryption key. - Enforce Data Retention Policies
Data should only be kept for as long as it is needed. Implement automated processes to securely delete or archive data that is no longer required. - Invest in Real-Time Monitoring and Incident Response
Implement Threat Detection and Incident Response (TDIR) capabilities or deploy Armor’s Managed Detection and Response (MDR), and establish a robust incident response plan to detect and respond to security incidents quickly.
This breach serves as a stark reminder that even large, well-established financial institutions are vulnerable to cyberattacks. But it also highlights a broader issue: the over-reliance on basic identity data, such as social security numbers, for establishing financial liability. In an era where personal information is readily available, we need to rethink how we verify identities and protect consumers from financial fraud. It’s time for financial institutions to take greater responsibility for verifying customer identities and ensuring that innocent individuals don’t pay the price for fraudulent activity.