Article Details

Fidelity customers' financial info feared stolen in suspected ransomware attack. Insurance giant blames Infosys, LockBit claims credit. Criminals have probably stolen nearly 30,000 Fidelity Investments Life Insurance customers' personal and financial information — including bank account and routing numbers, credit card numbers and security or access codes — after breaking into Infosys' IT systems in the fall. According to Fidelity, in documents filed with the Maine attorney general's office, miscreants "likely acquired" information about 28,268 people's life insurance policies after infiltrating Infosys. "At this point, [Infosys] are unable to determine with certainty what personal information was accessed as a result of this incident," the insurer noted in a letter [PDF] sent to customers. However, the US-headquartered firm says it "believes" the data included: names, Social Security numbers, states of residence, bank accounts and routing numbers, or credit/debit card numbers in combination with access code, password, and PIN for the account, and dates of birth. In other words: Potentially everything needed to drain a ton of people's bank accounts, pull off any number of identity theft-related scams — or at least go on a massive online shopping spree. LockBit claimed to be behind the Infosys intrusion in November, shortly after the Indian tech services titan disclosed the "cybersecurity incident" affecting its US subsidiary, Infosys McCamish Systems aka IMS. It reported that the intrusion shuttered some of its applications and IT systems [PDF]. This was before law enforcement shut down at least some of LockBit's infrastructure in December, although that's never a guarantee that the gang will slink off into obscurity — as we're already seen. And if the Fidelity security breach sounds familiar, it's because Infosys was also at the heart of a Bank of America leak disclosed last month. Back then BofA told 57,028 of its customers that crooks may have swiped from Infosys names, addresses, business email addresses, dates of birth, Social Security number, and "other account information." As of now, in addition to disrupting both financial firms' IT services, it appears that criminals swiped more than 85,000 individuals' sensitive details. Fidelity did not immediately respond to The Register's inquiries. We've asked Infosys for more information about the break in — including how the criminals gained access and how much data they stole — and will update this story if and when we get a response. The incident, according to letters sent to BofA and Fidelity customers, happened between October 20 and November 2, and disrupted Infosys-provided services to both financial institutions. "Since learning of this event, we have been engaged with IMS to understand IMS's actions to investigate and contain the event, implement remedial measures, and safely restore its services," Fidelity assured its customers. "In addition, we remain engaged with IMS as they continue their investigation of this incident and its impact on the data they maintain."