Fidelity Investments says data breach affects over 77,000 people

Fidelity Investments, a Boston-based multinational financial services company, disclosed that the personal information of over 77,000 customers was exposed after its systems were breached in August.

As one of the largest asset managers in the world, with $14.1 trillion in assets under administration and $5.5 trillion under management, Fidelity employs over 75,000 associates across 11 countries in North America, Europe, Asia, and Australia.

In a filing with the Office of Maine’s Attorney General, the company said that an unknown attacker stole data between August 17 and 19 using “two customer accounts that they had recently established.”

“We detected this activity on August 19 and immediately took steps to terminate the access. An investigation was promptly launched with assistance from external security experts,” Fidelity said in data breach notifications sent to affected individuals.

“The information obtained by the third party related to a small subset of our customers. Please note that this incident did not involve any access to your Fidelity account(s).”

Fidelity added that the incident exposed the data of 77,099 customers but has yet to reveal what personal information was stolen in the data breach besides names and other personal identifiers (as shared with Maine’s Attorney General).

When asked how the attacker could access the data of thousands of customers using two accounts they previously created, Michael Aalto, Fidelity’s head of external corporate comms, told BleepingComputer they couldn’t share that information and added that “they did not view accounts. They viewed customer information”.

Even though Fidelity says there is no evidence that the stolen customer data has been misused, the company provides those affected with two years of free TransUnion credit monitoring and identity restoration services.

“In addition to enrolling in the credit monitoring and identity restoration services it is always a good idea to remain vigilant for fraudulent activity or identity theft by regularly reviewing your statements for your financial and other accounts, monitoring your credit reports, and promptly reporting any suspicious activity to your financial institution (if applicable), local law enforcement, or your appropriate state authority,” it also advised affected customers.