Fidelity Customers' Financial Info Feared Stolen In Suspected Ransomware Attack

An anonymous reader quotes a report from The Register: Criminals have probably stolen nearly 30,000 Fidelity Investments Life Insurance customers' personal and financial information -- including bank account and routing numbers, credit card numbers and security or access codes -- after breaking into Infosys' IT systems in the fall. According to Fidelity, in documents filed with the Maine attorney general's office, miscreants "likely acquired" information about 28,268 people's life insurance policies after infiltrating Infosys.

"At this point, [Infosys] are unable to determine with certainty what personal information was accessed as a result of this incident," the insurer noted in a letter [PDF] sent to customers. However, the US-headquartered firm says it "believes" the data included: names, Social Security numbers, states of residence, bank accounts and routing numbers, or credit/debit card numbers in combination with access code, password, and PIN for the account, and dates of birth. In other words: Potentially everything needed to drain a ton of people's bank accounts, pull off any number of identity theft-related scams -- or at least go on a massive online shopping spree.

LockBit claimed to be behind the Infosys intrusion in November, shortly after the Indian tech services titan disclosed the "cybersecurity incident" affecting its US subsidiary, Infosys McCamish Systems aka IMS. It reported that the intrusion shuttered some of its applications and IT systems [PDF]. This was before law enforcement shut down at least some of LockBit's infrastructure in December, although that's never a guarantee that the gang will slink off into obscurity -- as we're already seen. "Since learning of this event, we have been engaged with IMS to understand IMS's actions to investigate and contain the event, implement remedial measures, and safely restore its services," Fidelity assured its customers. "In addition, we remain engaged with IMS as they continue their investigation of this incident and its impact on the data they maintain."

Someone should have done the needful...

[Anonymous Coward]

To clarify - sending sensitive personal data to bottom of the barrel Indian outsourcers... was not the needful.

Re:Someone should have done the needful...

[Dan667]

I have worked with a lot of really great Indian Programmers, but when you get the cut rate ones, wow. One time we were reviewing their code and this one guy had nested 100 if statements. Code did not work right and I have no idea why he thought that was the best way to code it. It was a nightmare to try and even troubleshoot. Management finally gave up trying to save a dollar and it was faster for us to just throw that code way and start over from scratch than to try and fix it.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[oh-dark-thirty]

Good thing they had the sense to SWITCH gears.

Re:

[Anonymous Coward]

What is fun is when you encounter code with comments like, "We do not know how this works, the dude who made this got laid off, and if any of us touch this loop, the entire app will collapse, so don't touch this!"

Another one was someone who would use SELECT statements without any WHERE clauses, then pass the output to Select-String, which meant the DB was chewed up by his transactions. I wound up quietly fixing those things, even though I was the DBA/Ops guy, just because those would slam the database into

Any company would have been hacked...

[Anonymous Coward]

Infosys, TCS, WiPro, Accenture, and others are world class companies. If they get hacked, nobody in the world could have done any better.

There is a reason why these guys run IT departments in Fortune 500 companies, and why lazy, overpaid workers get their jobs yeeted to these companies. It is called value, and not having to deal with payroll and employees gives returns back in spades.

Sorry, but pretty much these guys are where the big boys go to keep their stuff secure, and these world class companies off

yet another Indian outsourcer

[gabrieltss]

Causes another security breach. When will these firms be barred from doing business in the U.S......

There's insurance for that..

[Midnight_Falcon]

Cyber Liability insurance allows companies like Fidelity, who are in the business of insurance, simply to assign "risk" to security incidents like this in terms of dollar impact. Then, they buy liability insurance (at incentivized rates most likely, considering their market power) in case something happens. As it turns out, this costs less than actually implementing good security that doesn't make user experience miserable.

All roads lead to a nice bonus for executives regardless.

Suspected?

[Chelloveck]

"Suspected ransomware attack"? How to you have a suspected ransomware attack? The defining feature of ransomware is (wait for it) the demand for ransom. That pretty much gives away the game. If no one has demanded ransom, it's not ransomware. QED.

Re:

[XXongo]

"Suspected ransomware attack"? How to you have a suspected ransomware attack?

Data was stolen in an intrusion.
There was a ransom demand.

The "suspected" part is the question, did the ransom demand come from the people who broke in? Or by opportunists taking advantage of somebody else's break-in?

Re:

[Kiaser Zohsay]

"Suspected ransomware attack"? How to you have a suspected ransomware attack?

Data was stolen in an intrusion.
There was a ransom demand.

The "suspected" part is the question, did the ransom demand come from the people who broke in? Or by opportunists taking advantage of somebody else's break-in?

"In addition, we remain engaged with IMS as they continue their investigation of this incident and its impact on the data they maintain."

Translation:

"In addition, our foot remains engaged IMS' ass as they continue their investigation of this incident and its impact on the data they maintain."

Re:

[Chelloveck]

I didn't notice the ransom demand when I skimmed the article, but if it was there I withdraw my remark.

First thought

[93 Escort Wagon]

I'm not usually this sort of person, but I'm beginning to think the solution to ransomware gangs needs to be covert military operations.

However in this case I will be curious to see if the "ransomware" explanation holds up over time. Given the payoff if you're successful, it would make sense to try offering one of the low-paid Indian outsourced employees a relative fortune (from his perspective) to simply grab the data for you.

Re:

[RandomUsername99]

Ransomware gangs have insane op sec. If the TLAs can't find them, then the military won't be able to, either.

Re:

[Entrope]

Their op sec mostly extends to working out of countries that won't extradite them: Russia, China and North Korea. I haven't seen any good evidence that the TLAs haven't found them, rather than them just being impractical to get.

Re:

[noshellswill]

Looks more practical to cut-off hakr-friendly countries from all financial transactions with western nations.  From banks to brothels no money passes between these countries. This particularly affects China ... and their "pet" USA companies  like APPLE. Good for USA citizen  workers, bad for CCP military.  Except for furry-brained bushy-browed globalists  what's not to like ?

Re:

[ctilsie242]

Even if that happens, all the bad guys have to do is just demand payment by Bitcoin. No worries about sanctions, SWIFT account freezings, and so on. Even if coins are "tainted", all it takes is a tumble, coinjoin, or a transfer to ZCash and back... and that job is done.

Re:

[zephvark]

I'm not usually this sort of person, but I'm beginning to think the solution to ransomware gangs needs to be covert military operations.

Overt. Overt military operations. First, take out all the executives at Fidelity for implausibly loose security standards that would even allow such a breach to occur. Second, take out the ransomware gang.

We can send the Fidelity execs to Gitmo for a decade or two, if they survive.

Re:

[ctilsie242]

Sadly, this is a bank. These are the guys military companies get their money from. The chance of anything happening that might be anything costing them is pretty much the same chance as a Boltzmann brain appearing out of the ether, running for President, and winning... i.e. zero.

What would be nice is if the government would regulate cyber insurance providers and require stipulations before people are signed up or their contracts renewed. Even base level stuff like FDE, backups, having some managed AV pro

We beat this before...

[ctilsie242]

We beat this crap before. Back in the late 1990s/early 2000s, there were a lot of worms and viruses which not would just destroy data, but try overwriting PC firmware, throwing monitors into resolutions they can't handle, and frying them, trying to get CD-ROM drives to spin so fast that they break, setting ATA passwords on drives (which has been mitigate by the "FROZEN" state where after boot, the drive has to be power cycled for the ATA password to be added), and so on.

Companies buckled down, installed AV

Without severe executive jail time for hacks

[sinkskinkshrieks]

And rolling guilt up the food chain across outsourcing, it will keep happening. Carrots and strong words haven't sufficed. It's time for brutality against corporate schmucks until they get the message because it and profits are the only languages they understand.