Nearly 30,000 individuals were impacted by a third-party breach affecting insurance giant Fidelity Investments Life Insurance (FILI), the company disclosed in a regulatory filing with the Office of the Maine Attorney General.
The “cybersecurity event” affected Infosys McCamish Systems LLC (IMS), a service provider Fidelity uses to administer EFILI life insurance policy.
In November 2023, the US subsidiary of the Indian tech juggernaut Infosys said it retained the services of a third-party cybersecurity forensics firm after a cyber incident disrupted its systems.
IMS launched an investigation and determined that unauthorized individuals compromised its systems and accessed data between October 29 and November 2, 2023.
Fidelity third-party breach leaked PII and financial information
According to the data breach notification filed with Maine’s AG, Fidelity discovered the third-party breach on February 13, 2024, and launched an investigation with its third-party service provider, IMS.
The probe determined that the third-party breach exposed the sensitive information of 28,268 individuals.
In the security incident alerts sent to impacted customers, FILI said that the third-party breach leaked the names, Social Security Numbers, states of residence, bank account and routing numbers, and dates of birth. However, the leaked customer data varied based on the information each individual provided on their file.
The third-party breach also exposed financial account numbers or credit/debit card numbers combined with security codes, access codes, and account passwords or PINs.
However, Fidelity warned that it could not “determine with certainty what personal information was accessed as a result of this incident.” The insurance giant said the companies would “continue their investigation of this incident and its impact on the data they maintain for FILI.”
Fidelity also explained that its internal systems were not compromised at any point during the Infosys McCamish cyber attack.
Nevertheless, the company offered interested victims 24 months of complimentary credit monitoring and identity restoration with TransUnion Interactive to protect them from fraud.
“The exposure of credentials for third-party resources fuels money laundering and fraud for the 30,000 victims,” warned Jim Routh, Chief Trust Officer at Saviynt. “Off-shore third-party professional services firm consultants need mature identity management capabilities from the enterprise to protect against these types of cyber incidents.”
Impacted victims should take additional safety measures, such as monitoring their financial accounts and credit reports and promptly reporting any suspicious activity to their financial institutions and law enforcement.
Another Infosys McCamish financial data leak
Fidelity Investments is the second financial services company impacted by an Infosys McCamish data breach, highlighting the risk associated with a single service provider.
Similarly, the dependence on third-party providers whose security practices cannot be internally audited exposes primary organizations to cyber attacks.
“Third-party security breaches continue to increase in frequency and impact,” noted Jeff Margolies, Chief Product and Strategy Officer at Saviynt. “Enterprises are highly reliant on third-party service providers, who are now often the easiest vector into an enterprises most critical data. Enterprises need to improve their capabilities to manage and govern their third-party access as part of their identity security programs.”
IMS disclosed the apparent ransomware attack on November 3, 2023, in a brief regulatory filing with the U.S. Securities and Exchange Commission (SEC).
On January 11, IMS said in a Statement of Consolidated Audited Results filed with the SEC that it hired external security experts and restored impacted systems by December 31, 2023, adding that the cyber incident would cost the company roughly $30 million in remediation, restoration, and communication.
On February 1, 2024, Bank of America (BofA) disclosed it was the victim of a third-party breach involving IMS. BofA said the breach impacted 57,028 individuals, potentially leaking their names, addresses, dates of birth, business email addresses, Social Security Numbers, and other account details.
It remains unclear if the Bank of America and Fidelity Investments data breaches stemmed from the same cyber incident. If so, the cyber incident would point to a supply chain attack, with more victims expected soon.
