The company was part of a supply chain breach that happened in 2023.
What happened
Recently, Fidelity filed a notice with the Maine Attorney General’s Office, stating that some customers had data leaked following a breach at Infosys McCamish Systems LLC, a technology service run by India-based company Infosys.
In the filing, Fidelity shared that approximately 28,268 customers were impacted. The attack included names, financial account numbers, and credit/debit card information (including passwords, security codes, and PINs). In the sample breach notice to impacted customers, Fidelity said the breach occurred between October 29th, 2023, and November 2nd, 2023.
As soon as Fidelity learned of the breach, the company quickly contacted Infosysis McCamish Systems to learn the nature and scope of the event. Once the company knew that Fidelity data was involved, the company “conducted a manual review of our records to identify the individuals potentially affected by this event.”
Going deeper
The breach initially impacted Infosys McCamish Systems, allowing an unauthorized party to gain access to data stored–including information from Fidelity customers. Still, Fidelity clarified that their networks and systems remain secure.
Infosys McCamish provides business technology-related services and serves a number of banking institutions. The company first announced the breach in November of 2023, although impacted businesses are still coming forward. At the time, the incident was large enough to make some applications and systems unavailable. After the breach took place, LockBit, a ransomware organization allegedly based out of Russia, took credit.
Infosys was able to restore impacted systems by December 31st. The company stated they lost nearly $30 million and expect to lose more as additional legal claims arise. Unfortunately, the Infosys McCamish breach didn’t just impact Fidelity; Bank of America customers were also affected earlier this year. Nearly 57,000 Bank of America customers had personal information accessed, including names, addresses, email addresses, dates of birth, social security numbers, and more.
Read more: Bank of America Releases notice of massive data breach
Why it matters
The data breach showcases how many organizations are reliant on third parties for administrative or operational tasks. Unfortunately, even if an organization like Fidelity has a strong security system, companies they interact with may not necessarily apply the same standards. Organizations that potentially interact with private data should take every precaution possible to keep that data protected.
Read more: HIPAA Compliant Email: The Definitive Guide
The big picture
For Fidelity customers, the breach may come as a surprise. Many customers don’t necessarily know what third parties have access to their data. This can add confusion for those who receive breach notice letters.
With an increasingly privacy-aware public, organizations need to consider ways that data could potentially be accessed. Even though Fidelity systems remained secure, they are only as secure as the companies they work with.
Abby Grifno
