Blames Infosys, hah!!!
You outsourced to an offshore company without tough security guardrails i.e. based on the commercial costs which did not include cybersecurity requirements.
You get what you pay for.
Criminals have probably stolen nearly 30,000 Fidelity Investments Life Insurance customers' personal and financial information — including bank account and routing numbers, credit card numbers and security or access codes — after breaking into Infosys' IT systems in the fall. According to Fidelity, in documents filed with the …
Quite. Seems like the headlines should be more like "Infosys at fault for yet another security incident, customer data stolen".
Also seems like "do you use Infosys?" should be among the first questions in any security auditor list. With an immediate mark-down if answered in the affirmative. Sorry, no insurance coverage for you.
Infosys (et al) supposedly have such awful reputations in the IT industry, customers should already know better than to employ them. And yet it keeps happening, presumably because Infosys has bottom-dollar fees to go along with their cut-rate consultants.
Creating some impact to that financial bottom line motivation is likely the only way to start turning things around. Public/PR news and headlines, high insurance premiums, direct penalties to the executives making these business decisions, etc.
"Infosys (et al) supposedly have such awful reputations in the IT industry, customers should already know better than to employ them."
Exactly. To some this may sound racist, but the Asian / Indian subcontinent aren't exactly known for doing best business practices if it means cutting into the bottom line. Read: a large number of Asian / Indian businesses cost-cut and go the very cheapest way possible if it means making an extra pound. [We] have many dealing with them and they will penny-pinch you to absolute death if you let them or if that is what you are looking for - the very cheapest way out. But that's exactly why Fidelity chose them in the first place, they were (very undoubtedly) cheaper than in-house or domestic solutions; don't question why they are so cheap, just take the additional quarterly profits (and give management larger year-end bonuses, as well!).
The problem is the SEC won't hold Fidelity accountable for the end results of their endless and inevitable penny-pinching, quarterly profit-driven, no oversight or due diligence business practices. Fidelity will be allowed to blame Infosys, as if going to the lowest-cost bidder will ever lead to anything but a headache, and it will be the customers who pay (anyway, even if the SEC imposes a fine, it never comes out of the management's pocket).
I'm so sick of American & British end-stage capitalism, I can't even begin to tell you.
It seems that Fulton County (Atlanta) becoming "the leading distribution center for goods and services in the southeastern United States [and] a major financial and telecommunications hub" may also be making it a magnet for cyberevildoers (esp. Lockbit and Killnet). This here Infosys McCamish ("the center of excellence for Infosys’ Life Insurance software solutions and services offerings in the U.S."), which handled Fidelity data, is on Cumberland Boulevard in Atlanta. Fulton County government was the target of a recent attack, as was the Hartsfield-Jackson Atlanta International Airport, and the City of Atlanta before that.
Cyberattacks might come with the territory, but a "center for excellence in cybersecurity" might also be a useful addition there (if there isn't one).
That seems a rather dubious theory. Physical geography is not usually an attribute that you see a lot of ransomware affiliates chattering about. Typically it's whatever low-hanging fruit the updated scanners being run by the bot-army-as-a-service has picked up today, ranked by depth of pockets.
Or not keep it at all? I understand some of this is needed to verify the identity of a new account holder, but once that's done, why keep it? Even as a salted hash, it's fairly easy to break; if you can find out the salt, a SSN is only 9 digits, and a birthday has less than 43800 possibilities (365 days * 120 years), so would be pretty quick to brute-force.
For things like bank account and credit card info, I'd love to see something akin to a cookie being stored instead of the real info. User enters the data, company uses that to get the cookie from the bank, cookie is only valid for transfers between THAT bank and THAT company, company deletes bank/credit card info. If someone steals the cookie, it won't do any good; any transaction from a different IP address (for instance) is automatically denied.
Virtual merchant-locked, tight-limit credit cards are a thing.
I put all my sensitive information on paper because nothing could be safer. They're all right here... they were there. Maybe over here..., no. Maybe I have backups in the photocopier buffer or its shread bin. I could ask everyone to FAX back copies. No problem. All safe.