In August, a threat actor compromised the data of 77,099 customers of Fidelity Investments in Maine, the financial company said Oct. 9 in a breach notification letter to thousands of customers.

The attacker did not have access to funds in Fidelity investment accounts. However, the hacker obtained personal information – including Social Security numbers and driver’s licenses – and created two new customer accounts. In response, Fidelity blocked the attacker’s access and offered affected customers a credit monitoring and identity restoration service.

“We take this incident and the security of your information very seriously,” the Fidelity Investments Private Office wrote in a sample notice for Maine residents. “As noted above, upon discovering this activity, we took immediate action to stop the activity and resolve this incident.”

The elements of the cyberattack remain unknown

According to Fidelity’s data breach notification in the state of Maine, the attack occurred between August 17 and 19. At this time, Fidelity has not disclosed how the attacker gained access or what aspects of the new accounts allowed him to navigate the system.

“The information received from third parties related to a small subset of our customers,” Fidelity wrote.

SEE: It’s that time again: Both Microsoft and Apple have big updates around Patch Tuesday.

In addition to closing the attacker’s door to the system, Fidelity brought in outside security experts to assist in the investigation. The response was prompt, Fidelity said. The company offered credit monitoring and identity restoration services that uncovered any unusual activity in affected customers’ investment accounts.

This is not Fidelity’s first contact with cyber attackers. In March, Fidelity filed a disclosure alleging that customers’ personal information was exposed in a ransomware attack. In this case, hackers penetrated the IT systems of Infosys McCamish Systems in November 2023. The October disclosure appears to have nothing to do with this attack.

Take precautions with accounts that contain sensitive information

Fidelity reminded customers to monitor their own accounts for potential fraud or other suspicious behavior. They also direct customers to instructions for filing a fraud alert or credit report. Her recommendations include:

• Check your bank statements and other account statements regularly.
• Monitor your credit reports.
• Report suspicious activity immediately to your financial institution, local law enforcement, or appropriate state agency.

When reached for comment, Fidelity confirmed the information contained in the draft breach notice.

“We recognize that our customers may have questions about this event and we have resources to support them,” Fidelity said in a statement from Michael Aalto, the company’s head of external communications. “Fidelity takes seriously its responsibility to serve customers and protect information.”