Huge investment firm won’t say how it was  hacked.

Fidelity FAIL

What’s the craic? Carly Page reports: Fidelity says data breach exposed personal data of 77,000 customers

“Fidelity declined to answer”
One of the world’s largest asset managers has confirmed that over 77,000 customers had personal information compromised during an August data breach—including Social Security numbers and driver’s licenses. The … investment firm said in a filing with Maine’s attorney general … that an unnamed third party accessed information from its systems between August 17 and August 19 “using two customer accounts that they had recently established.”
…
Fidelity did not say how the creation of two Fidelity customer accounts allowed access to the data of thousands of other customers. [But] in another data breach notice filed with New Hampshire’s attorney general, Fidelity revealed that the third party “accessed and retrieved certain documents related to Fidelity customers and other individuals by submitting fraudulent requests to an internal database that housed images of documents pertaining to Fidelity customers.”
…
Fidelity declined to answer our specific questions about the incident.

Clear as mud? Sergiu Gatlan tries a different tack: Data breach affects over 77,000 people

“Couldn’t share that information”
When asked how the attacker could access the data of thousands of customers using two accounts they previously created, Michael Aalto, Fidelity’s head of external corporate comms, told [me] they couldn’t share that information and added that, “They did not view accounts. They viewed customer information.”
…
As one of the largest asset managers in the world, with $14.1 trillion in assets under administration and $5.5 trillion under management, Fidelity employs over 75,000 associates across 11 countries in North America, Europe, Asia, and Australia.

Try harder. Venky Raju makes an educated guess: Fidelity Investments suffers data breach

“Exploited this vulnerability”
As the attackers were able to use their own accounts to access other customer accounts, it is clear that there are security misconfigurations in Fidelity’s customer-facing web applications. … This attack vector is so well-known and understood that it is ranked number one in OWASP’s Top 10 Web Application Security Risks. Attackers may have exploited this vulnerability to create new accounts at Fidelity and access other accounts.

How would that work? This Anonymous Coward gives a simple example:

Accessing the data of other customers? Probably stupid stuff like their “/show_customer_profile?id={id}” page only checks that you’re authenticated—not that you’re actually customer {id}. Otherwise known as “Broken Access Control.”

How could this happen?u/1Steelghost1 comes to this haunting conclusion: [You’re fired—Ed.]

We are fighting against corporate dip****s that calculate user data over data security procedures. Spent 10 years doing IT security and this stuff is actually super easy, but companies don’t want to spend the money on equipment or people. They would rather just say, “Whoopsy, our bad,” and everyone waves it off.

How could we focus their minds better? Another Anonymous Coward suggestifies thuswise:

How about a mandatory minimum payment of say $200 directly to every customer whose data is illegally accessed? Doesn’t mean courts or regulators can’t decide on larger settlements, [but] by making the companies pay customers a minimum sum directly it minimises the need for class actions where the only beneficiaries are lawyers.
…
Obviously some of the largest hacks would bankrupt the negligent business. … Operations would continue through Chapter 11, … so the only people who lose out are the investors and the board.

What did Fidelity do next? James Baker implies the hack prompted a wider account lockdown:

Now let’s talk about how they are holding hostage deposits into our Cash Management Accounts with no warning, no communication. Many have been impacted. Simply unacceptable.

Still, at least the breach involves only “a small subset of our customers.” bill 27 ain’t impressed:

If you’re one of the 77,099 people, then it’s not such a small subset.

Meanwhile, u/No_Variation_9282 finds the silver lining:

I get so many, “Your valuable data has been compromised,” letters in the mail, I swear hackers are just keeping the post office in business.

And Finally:

I can’t believe PMJ never did Fireflies—until now

Previously in And Finally

You have been reading SB Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites—so you don’t have to. Hate mail may be directed to  @RiCHi, @richij, @[email protected], @richi.bsky.social or [email protected]. Ask your doctor before reading. Your mileage may vary. Past performance is no guarantee of future results. Do not stare into laser with remaining eye. E&OE. 30.