Fidelity customers' financial info feared stolen in suspected ransomware attack

Insurance giant blames Infosys, LockBit claims credit

Criminals have probably stolen nearly 30,000 Fidelity Investments Life Insurance customers' personal and financial information — including bank account and routing numbers, credit card numbers and security or access codes — after breaking into Infosys' IT systems in the fall.

According to Fidelity, in documents filed with the Maine attorney general's office, miscreants "likely acquired" information about 28,268 people's life insurance policies after infiltrating Infosys.

"At this point, [Infosys] are unable to determine with certainty what personal information was accessed as a result of this incident," the insurer noted in a letter [PDF] sent to customers. However, the US-headquartered firm says it "believes" the data included: names, Social Security numbers, states of residence, bank accounts and routing numbers, or credit/debit card numbers in combination with access code, password, and PIN for the account, and dates of birth.

In other words: Potentially everything needed to drain a ton of people's bank accounts, pull off any number of identity theft-related scams — or at least go on a massive online shopping spree.

LockBit claimed to be behind the Infosys intrusion in November, shortly after the Indian tech services titan disclosed the "cybersecurity incident" affecting its US subsidiary, Infosys McCamish Systems aka IMS. It reported that the intrusion shuttered some of its applications and IT systems [PDF].

This was before law enforcement shut down at least some of LockBit's infrastructure in December, although that's never a guarantee that the gang will slink off into obscurity — as we're already seen.

And if the Fidelity security breach sounds familiar, it's because Infosys was also at the heart of a Bank of America leak disclosed last month. Back then BofA told 57,028 of its customers that crooks may have swiped from Infosys names, addresses, business email addresses, dates of birth, Social Security number, and "other account information."

As of now, in addition to disrupting both financial firms' IT services, it appears that criminals swiped more than 85,000 individuals' sensitive details.

Fidelity did not immediately respond to The Register's inquiries.

We've asked Infosys for more information about the break in — including how the criminals gained access and how much data they stole — and will update this story if and when we get a response.

The incident, according to letters sent to BofA and Fidelity customers, happened between October 20 and November 2, and disrupted Infosys-provided services to both financial institutions.

"Since learning of this event, we have been engaged with IMS to understand IMS's actions to investigate and contain the event, implement remedial measures, and safely restore its services," Fidelity assured its customers. "In addition, we remain engaged with IMS as they continue their investigation of this incident and its impact on the data they maintain." ®

Send us news

Ransomware negotiator weighs in on the extortion payment debate with El Reg

As gang tactics get nastier while attacks hit all-time highs

Aussie cops probe MediSecure's 'large-scale ransomware data breach'

Throw another healthcare biz on the barby, mate

Crims abusing Microsoft Quick Assist to deploy Black Basta ransomware

Spoiler alert: it's not really IT support controlling your device

Cybersec chiefs team up with insurers to say 'no' to ransomware bullies

Guidebook aims to undermine the criminal business model

Uncle Sam urges action after Black Basta ransomware infects Ascension

Emergency ambulances diverted while techies restore systems

First LockBit, now BreachForums: Are cops winning the war or just a few battles?

TLDR: Peace in our time is really really hard

REvil ransomware scum sentenced to almost 14 years inside, ordered to pay $16 million

After extorting $700 million from thousands of victims

CISA boss: Secure code is the 'only way to make ransomware a shocking anomaly'

And it would seriously inconvenience the Chinese and Russians, too

Cybercriminals hit jackpot as 500k+ Ohio Lottery lovers lose out on their personal data

Not a lotto luck for these powerball hunters

Cops finally unmask 'LockBit kingpin' after two-month tease

Dmitry Yuryevich Khoroshev's $10M question is answered at last

'Cyberattack' shutters Christie's website days before $840M art mega-auction

Going once, going twice, going offline

CISA's early-warning system helped critical orgs close 852 ransomware holes

In the first year alone, that's saved us all a lot of money and woe