|

What Fidelity’s Data Breach Means for Advisors

Experts believe the perpetrator used tokens to access the personal information through improperly configured third-party code.

Photo of a Fidelity building
Photo via Connor Lin / The Daily Upside

Sign up for market insights, wealth management practice essentials and industry updates.

How about two years of free credit monitoring, and we call it even?

Fidelity Investments’ data breach that hit customers in August is serving as a wake-up call for financial advisors about the threats cybercriminals pose to their businesses. The Boston-based brokerage announced last week that a hacker gained access to the personal data of more than 77,000 clients through two recently opened accounts. It’s led to a class action lawsuit

Experts believe the perpetrator gained access to the personal information through improperly configured third-party code. With over 2,000 similar breaches this year, so-called supply chain attacks are becoming hackers’ preferred way to access protected systems, according to Yashin Manraj, CEO of the cybersecurity firm Pvotal Technologies.

Advances in artificial intelligence are also helping scammers capitalize more effectively on stolen identities, data breaches, and troves of data posted on social media. “The sophistication of AI-powered attacks will make for a challenging few years,” he said. 

Fake It ‘Til You Take It

Deepfake technology is helping hackers swindle clients by cloning voices and images. These “social engineering” tactics help fraudsters trick firms or users into giving them access to their investment accounts or other sensitive data. In the past year, there has been an increase in successful hacks, Manraj said, and scammers are now using unprotected client social media accounts to create the clones.

“The rise of low-cost AIs, large language models, and automation tools has empowered scammers to widen their net … and use AI to camouflage their real identities, voice, and language,” he said. The new techniques include:

  • Using AI to monitor employees, scan public records, and job descriptions, and using social media to identify potential weaknesses.
  • Romance scams — there have also been at least 10 successful data breaches this year that involved one, Manraj said. 

Keep It In Perspective. Fidelity said there has been no evidence the personal information has been misused, and the issue impacted a fraction of its customers. A representative for the company declined to comment.

“We should keep in mind that these incidents may sound large, but affect only a small percentage of the firm’s 51.5 million individual clients,” said John O’Connell, founder of the consulting firm The Oasis Group. He added that the incident appears to have been a “breachhead,” where attackers establish a foothold to launch further attacks.

Phish Food. Just last week, firms were hit with a phishing scam that attempted to imitate FINRA executives. The “ongoing” campaign included scammers sending emails posing as leaders of the regulator with a PDF attachment that could include “malicious” content, according to a FINRA cybersecurity alert

“Individuals are more susceptible to falling for a scam if the data presented appears professional, well-thought-out, and a reasonable service that they have recently used,” Manraj said.