Fidelity Investments is the latest American company to be hit by a massive data breach. 

The company is one of the world’s largest asset managers, yet it still can’t get its cybersecurity infrastructure together. This incident marks the firm’s second breach in 12 months, occurring in August. 

While no Fidelity accounts were compromised, personal information was exposed, including Social Security numbers and driver’s licenses.

GET SECURITY ALERTS, EXPERT TIPS — SIGN UP FOR KURT’S NEWSLETTER — THE CYBERGUY REPORT HERE

What happened?

Fidelity Investments reported in a filing with Maine’s attorney general that an unnamed third party accessed information from its systems using two recently established customer accounts. It did not say how the creation of two Fidelity customer accounts allowed access to the data of thousands of other customers.

“We detected this activity on August 19 and immediately took steps to terminate the access,” Fidelity stated in a letter sent to those affected. The company confirmed that the data breach compromised the personal information of over 77,000 customers but did not involve any access to their Fidelity accounts. This incident still represents only a small portion of its overall customer base of 51.5 million.

The breach occurred between Aug. 17 and 19 when an attacker accessed customer names and other personal identifiers, including Social Security numbers and driver’s licenses. Fidelity was able to stop the unauthorized access on Aug. 19 after detecting the breach.

A man surfing on his cellphone. (Kurt “CyberGuy” Knutsson)

MONEYGRAM HACK EXPOSES CUSTOMERS’ SENSITIVE DATA AND CRIPPLED SERVICES

Is Fidelity doing anything about the breach?

“We take this incident and the security of your information very seriously. As mentioned earlier, upon detecting this activity, we promptly took steps to terminate it and address the situation,” the company stated in a notice sent to affected customers. However, it’s difficult to gauge how seriously it is taking this incident, especially since this marks the second occurrence in 2024 alone.

Fidelity is offering free credit monitoring and identity restoration services for those impacted by this breach for 24 months. The company also encourages individuals to stay vigilant, regularly review their financial statements and report any suspicious or fraudulent activity.

CLICK HERE FOR MORE U.S. NEWS

Illustration of a hacker at work. (Kurt “CyberGuy” Knutsson)

6 ways to protect yourself from a data breach

1. Enable two-factor authentication (2FA) on all accounts: One of the most effective ways to protect your personal and financial information from hackers is to enable two-factor authentication (2FA) wherever possible. This adds an extra layer of security by requiring two forms of verification before granting access to your account, such as a password and a one-time code sent to your phone. Even if your password is stolen, 2FA can stop hackers from getting into your accounts.

2. Monitor your financial accounts regularly: After a data breach, especially when sensitive financial information like transaction details and bank account numbers have been compromised, it’s crucial to regularly monitor your bank statements, credit card transactions and even small purchases. Look for unauthorized activity, no matter how minor it seems, and report it to your bank or service provider immediately.

3. Change your passwords and use strong, unique passwords: Fidelity customers who reused passwords across multiple accounts should update their login information immediately. A strong password combines uppercase and lowercase letters, numbers, and symbols, making it harder for hackers to guess or crack. Consider using a password manager to securely store and generate complex passwords. 

4. Sign up for identity theft protection: Given that hackers stole Social Security numbers, government-issued IDs and other sensitive information in the Fidelity breach, affected customers should consider enrolling in identity theft protection. These services notify you if someone attempts to open new lines of credit or loans in your name, allowing you to take immediate action to prevent identity theft. Additionally, you can place fraud alerts or freezes on your credit reports to prevent unauthorized access. See my tips and best picks on how to protect yourself from identity theft.

5. Be wary of phishing attacks and scams: After a data breach, there is often an uptick in phishing attacks, where scammers try to trick you into revealing additional personal information by posing as legitimate companies. Always double-check the authenticity of emails, especially those asking for sensitive information. Never click on links or download attachments from suspicious sources, and verify any requests for information by contacting the company directly. 

The best way to safeguard yourself from malicious links that install malware, potentially accessing your private information, is to have antivirus software installed on all your devices. This protection can also alert you to phishing emails and ransomware scams, keeping your personal information and digital assets safe. Get my picks for the best 2024 antivirus protection winners for your Windows, Mac, Android and iOS devices.

6. Invest in personal data removal services: While no service promises to remove all your data from the internet, having a removal service is great if you want to constantly monitor and automate the process of removing your information from hundreds of sites continuously over a longer period of time. Check out my top picks for data removal services here.

WORLD’S LARGEST STOLEN PASSWORD DATABASE UPLOADED TO CRIMINAL FORUM 

Kurt’s key takeaways

Fidelity manages over $14 trillion in assets, which speaks volumes about the company’s revenue and the expectations clients have for it to safeguard their data and assets. However, it appears that robust cybersecurity isn’t a top priority for Fidelity. Instead of implementing meaningful security measures, the company seems to be taking a “slap on the wrist” approach, signing people up for services that merely shift the responsibility to individuals to monitor for violations. There’s a lack of security measures at the individual level, such as row-level security or authentication tokens that require personal approval for access to records.

Should Fidelity and similar companies face harsher penalties for repeated breaches? Let us know by writing us at Cyberguy.com/Contact

For more of my tech tips and security alerts, subscribe to my free CyberGuy Report Newsletter by heading to Cyberguy.com/Newsletter

Ask Kurt a question or let us know what stories you’d like us to cover.

Follow Kurt on his social channels:

Answers to the most-asked CyberGuy questions:

New from Kurt:

Copyright 2024 CyberGuy.com. All rights reserved.