Fidelity Investments announced it experienced a data breach. This breach, which occurred in mid-August, has affected a more than 77,000 customers.

Security leaders weigh in 

Mr. Venky Raju, Field CTO at ColorTokens:

“As the attackers were able to use their own accounts to access other customer accounts, it is clear that there are security misconfigurations in Fidelity’s customer-facing web applications. This attack vector is so well known and understood that it is ranked number one in OWASP’s Top 10 Web Application Security Risks. Termed ‘Broken Access Control’ by OWASP, one of the risks associated with this is permitting the viewing or editing of someone else’s account by providing its unique identifier. Attackers may have exploited this vulnerability to create new accounts at Fidelity and access other accounts.”

Sarah Jones, Cyber Threat Intelligence Research Analyst at Critical Start:

“The Fidelity data breach highlights the persistent threat faced by financial institutions and their customers. While the attackers’ specific motives remain unclear, it’s likely that information gathering was a primary objective. This information could be used for future attacks, such as identity theft, phishing campaigns, or even ransomware demands.

“The ‘beachhead’ theory, where attackers establish a foothold to launch further attacks, is a common tactic in such incidents. Although Fidelity assures customers that their accounts and funds were not directly accessed, the breach raises concerns about the security of personal information, increasing the risk of identity theft, fraud, or other malicious activities.

“Cyberattacks on financial institutions often involve a combination of techniques, such as phishing, social engineering, exploiting vulnerabilities, and credential stuffing. To mitigate these risks, banks and financial institutions should prioritize robust security measures, including multi-factor authentication, encryption, and regular vulnerability assessments. Educating employees about cybersecurity threats and best practices is crucial to prevent social engineering attacks. A comprehensive incident response plan is essential for promptly detecting and addressing security breaches. Continuous monitoring of networks and systems for suspicious activity is vital, along with adherence to relevant industry regulations and standards to ensure data privacy and security.

“The Fidelity data breach underscores the need for financial institutions to remain vigilant and proactive in protecting themselves and their customers from evolving cyber threats. By understanding common attack tactics and implementing robust security measures, institutions can better safeguard their assets and maintain customer trust.”

Mr. Piyush Pandey, CEO at Pathlock:

“It is of critical importance to have robust sensitive data and application access controls within financial institutions. The interconnectedness and intricacy of supply chains in the financial industry increases the difficulty of the management of, as well as the securing of, third-party access. Given how highly regulated this sector is when it comes to data protection and privacy, ensuring that third-party vendors adhere with these regulations is vital, yet continue to be a challenge.

“By focusing on rigorous controls testing and enforcement, including stringent management of third-party identities and access, financial institutions can significantly strengthen their security posture, protect sensitive data, and ensure compliance with regulatory requirements. This proactive approach not only safeguards customer data (and trust), it enhances the financial institution’s overall resilience against attacks like this.”

Marcus Fowler, CEO of Darktrace Federal:

“Financial institutions have historically been a top target for threat actors, given the very nature of their operations. In response, these organizations often have the most advanced and sophisticated cybersecurity programs. AI represents the greatest advancement in truly augmenting our cyber workforce and these organizations serve as an excellent example of how AI can be effectively applied to security operations to increase agility and harden defenses against novel threats. We encourage these organizations to facilitate open conversations around their successes and failures deploying AI to help other organizations across sectors accelerate their adoption of AI for cybersecurity.”