Fidelity Brokerage Services Hit by Three-Day Cyberattack in August 2024, Exposing Sensitive Customer Data
In August 2024, Fidelity Brokerage Services suffered a three-day cyberattack that exposed the personal and financial data of approximately 77,000 customers, including passport details, driver’s license numbers, Social Security numbers, credit card information, and medical records. The breach, which occurred between August 17 and 19, was the result of a vulnerability in Fidelity’s online access controls, allowing unauthorized access to a document repository.
A bad actor exploited a flaw in the system’s "Image ID" parameter, enabling them to manipulate browser URLs to view other customers’ documents. While Fidelity detected and halted the breach within days, the Massachusetts Secretary of the Commonwealth, William Galvin, issued a $1.25 million fine against the firm for failing to enforce adequate cybersecurity measures. The consent order revealed that Fidelity’s security policies were not properly enforced, allowing users to access documents beyond their own accounts.
The breach affected not only Fidelity customers but also beneficiaries and relatives, including minors, whose data was compromised. While Fidelity notified impacted customers, it failed to alert all affected individuals, including non-customers whose information was exposed.
Fidelity stated that no customer accounts or funds were accessed during the incident and that there has been no evidence of identity theft or fraud resulting from the breach in the nearly two years since. The company has since taken steps to remediate the issue and strengthen its security protocols. The incident adds to a growing list of financial firms targeted by cyberattacks in recent years, including LPL Financial and Ameriprise Financial, which have also reported data breaches.
Ameriprise Financial Services, LLC cybersecurity rating report: https://www.rankiteo.com/company/ameriprise-financial-services-llc
"id": "AME1777303499",
"linkid": "ameriprise-financial-services-llc",
"type": "Breach",
"date": "8/2024",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': '77000',
'industry': 'Brokerage',
'name': 'Fidelity Brokerage Services',
'type': 'Financial Services'}],
'attack_vector': 'Exploitation of vulnerability in online access controls',
'customer_advisories': 'Notified impacted customers, but not all affected '
'individuals (including non-customers).',
'data_breach': {'number_of_records_exposed': '77000',
'personally_identifiable_information': 'Yes',
'sensitivity_of_data': 'High',
'type_of_data_compromised': ['Passport details',
'Driver’s license numbers',
'Social Security numbers',
'Credit card information',
'Medical records']},
'date_detected': '2024-08-19',
'date_resolved': '2024-08-19',
'description': 'Fidelity Brokerage Services suffered a three-day cyberattack '
'in August 2024 that exposed the personal and financial data '
'of approximately 77,000 customers, including passport '
'details, driver’s license numbers, Social Security numbers, '
'credit card information, and medical records. The breach was '
'due to a vulnerability in Fidelity’s online access controls, '
'allowing unauthorized access to a document repository.',
'impact': {'brand_reputation_impact': 'Yes',
'data_compromised': 'Personal and financial data (passport '
'details, driver’s license numbers, Social '
'Security numbers, credit card information, '
'medical records)',
'downtime': '3 days',
'financial_loss': '1250000',
'identity_theft_risk': 'Yes',
'legal_liabilities': 'Fines imposed',
'operational_impact': 'Unauthorized access to customer documents',
'payment_information_risk': 'Yes',
'systems_affected': 'Document repository, online access controls'},
'initial_access_broker': {'entry_point': "Vulnerability in 'Image ID' "
'parameter'},
'investigation_status': 'Resolved',
'lessons_learned': 'Failure to enforce adequate cybersecurity measures and '
'security policies led to unauthorized access to customer '
'documents.',
'post_incident_analysis': {'corrective_actions': 'Strengthened security '
'protocols, remediated the '
'vulnerability',
'root_causes': "Flaw in 'Image ID' parameter "
'allowing URL manipulation, '
'inadequate enforcement of security '
'policies'},
'recommendations': 'Enforce stricter access controls, ensure proper '
'notification of all affected individuals (including '
'non-customers), and strengthen security protocols.',
'references': [{'source': 'Massachusetts Secretary of the Commonwealth'}],
'regulatory_compliance': {'fines_imposed': '1250000',
'legal_actions': 'Consent order issued by '
'Massachusetts Secretary of the '
'Commonwealth'},
'response': {'communication_strategy': 'Notified impacted customers, but '
'failed to alert all affected '
'individuals (including non-customers)',
'containment_measures': 'Detected and halted the breach within '
'days',
'remediation_measures': 'Strengthened security protocols, '
'remediated the vulnerability'},
'threat_actor': 'Bad actor',
'title': 'Fidelity Brokerage Services Cyberattack',
'type': 'Data Breach',
'vulnerability_exploited': "Flaw in 'Image ID' parameter allowing URL "
'manipulation'}