In August, a threat actor compromised the data of 77,099 Fidelity Investments customers in Maine, the financial firm said in a breach notification letter to thousands of customers on Oct. 9.

The attacker didn’t access funds in Fidelity investment accounts. However, the hacker obtained personal information — including Social Security numbers and driver’s licenses — and created two new customer accounts. In response, Fidelity shut down the attacker’s access and offered affected customers a credit monitoring and identity restoration service.

“We take this incident and the security of your information very seriously,” the Fidelity Investments Private Office wrote in a sample notice drafted for Maine residents. “As noted above, upon detecting this activity, we promptly took steps to terminate the activity and address this incident.”

Elements of cyberattack remain unknown

According to Fidelity’s data breach notification in the state of Maine, the attack occurred between Aug. 17 and 19. As of this writing, Fidelity has not disclosed how the attacker gained access or what aspects of the new accounts allowed them to navigate through the system.

“The information obtained by the third party related to a small subset of our customers,” Fidelity wrote.

SEE: It’s that time again: Microsoft and Apple both have major updates around Patch Tuesday.

Along with shutting the attacker’s door into the system, Fidelity brought in external security experts to assist with the investigation. The response was prompt, Fidelity said. The company offered credit monitoring and identity restoration services, which would flag any unusual activity in the affected customers’ investment accounts.

This isn’t Fidelity’s first brush with cyberattackers. In March, Fidelity filed a disclosure saying customers’ personal information had been exposed in a ransomware attack. In that case, hackers broke into Infosys McCamish Systems through its IT systems in November 2023. The October disclosure appears unrelated to that attack.

Take precautions with accounts containing sensitive information

Fidelity reminded customers to monitor their own accounts for potential fraud or other suspicious behavior. They also direct customers to instructions for placing a fraud alert or credit report. Their recommendations include:

  • Regularly review your statements for your financial and other accounts.
  • Monitor your credit reports.
  • Promptly report any suspicious activity to your financial institution, local law enforcement, or your appropriate state authority.

When reached for comment, Fidelity confirmed the information presented in the draft breach notification.

“We recognize our customers may have questions about this event and we have resources in place to assist them,” Fidelity said in a statement provided by Corporate External Communications Head Michael Aalto. “Fidelity takes its responsibility to serve customers and safeguard information seriously.”

Subscribe to the Cybersecurity Insider Newsletter

Strengthen your organization's IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices. Delivered every Monday, Tuesday and Thursday

Subscribe to the Cybersecurity Insider Newsletter

Strengthen your organization's IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices. Delivered every Monday, Tuesday and Thursday