back to article Fidelity customers' financial info feared stolen in suspected ransomware attack

Criminals have probably stolen nearly 30,000 Fidelity Investments Life Insurance customers' personal and financial information — including bank account and routing numbers, credit card numbers and security or access codes — after breaking into Infosys' IT systems in the fall. According to Fidelity, in documents filed with the …

  1. A random security guy

    Blames Infosys, hah!!!

    You outsourced to an offshore company without tough security guardrails i.e. based on the commercial costs which did not include cybersecurity requirements.

    You get what you pay for.

    1. Anonymous Coward
      Anonymous Coward

      Re: Blames Infosys, hah!!!

      Quite. Seems like the headlines should be more like "Infosys at fault for yet another security incident, customer data stolen".

      Also seems like "do you use Infosys?" should be among the first questions in any security auditor list. With an immediate mark-down if answered in the affirmative. Sorry, no insurance coverage for you.

      Infosys (et al) supposedly have such awful reputations in the IT industry, customers should already know better than to employ them. And yet it keeps happening, presumably because Infosys has bottom-dollar fees to go along with their cut-rate consultants.

      Creating some impact to that financial bottom line motivation is likely the only way to start turning things around. Public/PR news and headlines, high insurance premiums, direct penalties to the executives making these business decisions, etc.

      1. Doctor Syntax Silver badge

        Re: Blames Infosys, hah!!!

        "nfosys (et al) supposedly have such awful reputations in the IT industry, customers should already know better than to employ them."

        It's not likely to be a decision made at IT department pay grades.

        1. Anonymous Coward
          Anonymous Coward

          Re: Blames Infosys, hah!!!

          Yes. Hence the additional bit about "direct penalties to the executives making these business decisions".

      2. Snake Silver badge

        Re: Blames Infosys, hah!!!

        "Infosys (et al) supposedly have such awful reputations in the IT industry, customers should already know better than to employ them."

        Exactly. To some this may sound racist, but the Asian / Indian subcontinent aren't exactly known for doing best business practices if it means cutting into the bottom line. Read: a large number of Asian / Indian businesses cost-cut and go the very cheapest way possible if it means making an extra pound. [We] have many dealing with them and they will penny-pinch you to absolute death if you let them or if that is what you are looking for - the very cheapest way out. But that's exactly why Fidelity chose them in the first place, they were (very undoubtedly) cheaper than in-house or domestic solutions; don't question why they are so cheap, just take the additional quarterly profits (and give management larger year-end bonuses, as well!).

        The problem is the SEC won't hold Fidelity accountable for the end results of their endless and inevitable penny-pinching, quarterly profit-driven, no oversight or due diligence business practices. Fidelity will be allowed to blame Infosys, as if going to the lowest-cost bidder will ever lead to anything but a headache, and it will be the customers who pay (anyway, even if the SEC imposes a fine, it never comes out of the management's pocket).

        I'm so sick of American & British end-stage capitalism, I can't even begin to tell you.

        1. Strong as Taishan Mountains

          Re: Blames Infosys, hah!!!

          Same here. I just wish I saw an end in sight.. It seems like insurers are willing to bankroll so much stupid behaviour. No consequences for any of this short-sighted stupidity.

  2. Anonymous Coward
    Anonymous Coward

    Having worked in the bowels of Fidelity in the UK, "ransomware" is probably the least embarrasing explanation...

  3. HuBo
    Holmes

    Georgia on cybercrims' mind

    It seems that Fulton County (Atlanta) becoming "the leading distribution center for goods and services in the southeastern United States [and] a major financial and telecommunications hub" may also be making it a magnet for cyberevildoers (esp. Lockbit and Killnet). This here Infosys McCamish ("the center of excellence for Infosys’ Life Insurance software solutions and services offerings in the U.S."), which handled Fidelity data, is on Cumberland Boulevard in Atlanta. Fulton County government was the target of a recent attack, as was the Hartsfield-Jackson Atlanta International Airport, and the City of Atlanta before that.

    Cyberattacks might come with the territory, but a "center for excellence in cybersecurity" might also be a useful addition there (if there isn't one).

    1. Michael Wojcik Silver badge

      Re: Georgia on cybercrims' mind

      That seems a rather dubious theory. Physical geography is not usually an attribute that you see a lot of ransomware affiliates chattering about. Typically it's whatever low-hanging fruit the updated scanners being run by the bot-army-as-a-service has picked up today, ranked by depth of pockets.

  4. Anonymous Coward
    Anonymous Coward

    Is there some way to hold identification info offline?

    Or not keep it at all? I understand some of this is needed to verify the identity of a new account holder, but once that's done, why keep it? Even as a salted hash, it's fairly easy to break; if you can find out the salt, a SSN is only 9 digits, and a birthday has less than 43800 possibilities (365 days * 120 years), so would be pretty quick to brute-force.

    For things like bank account and credit card info, I'd love to see something akin to a cookie being stored instead of the real info. User enters the data, company uses that to get the cookie from the bank, cookie is only valid for transfers between THAT bank and THAT company, company deletes bank/credit card info. If someone steals the cookie, it won't do any good; any transaction from a different IP address (for instance) is automatically denied.

    1. Michael Wojcik Silver badge

      Re: Is there some way to hold identification info offline?

      Virtual merchant-locked, tight-limit credit cards are a thing.

    2. DS999 Silver badge

      Re: Is there some way to hold identification info offline?

      There's this newfangled technology called "paper" that does what you ask, but for some reason companies don't want to go that way.

      1. Kevin McMurtrie Silver badge

        Re: Is there some way to hold identification info offline?

        I put all my sensitive information on paper because nothing could be safer. They're all right here... they were there. Maybe over here..., no. Maybe I have backups in the photocopier buffer or its shread bin. I could ask everyone to FAX back copies. No problem. All safe.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like