Phishing Attack Leads to Title Firm BreachHackers Attempted To Reroute Money Transfers
Title insurance and mortgage services provider Fidelity National Financial is notifying an unspecified number of customers that their personal information may have been accessed by hackers, after its employees were compromised by a phishing attack.
In April 2014, a "targeted phishing attack" compromised some employees' usernames and passwords, Fidelity says in a breach notification letter that was published by the California attorney general's office. Attackers used the stolen credentials to log into some employees' e-mail accounts - which are hosted by an unnamed, third party - from April 14 to April 16.
Fidelity, which reported 2013 revenues of $8.5 billion, is a leading provider of title insurance, mortgage services and restaurant and other diversified services.
By compromising the employees' email accounts, the hackers would have been able to steal customer information, including Social Security numbers, bank account numbers, credit and debit card numbers, and driver's license numbers, Fidelity warns.
When the company learned about the breach, it notified federal law enforcement agencies and launched an investigation, and tapped an unnamed, third-party security expert to help determine the specifics of the attack and extent of the resulting breach, says Fidelity's chief compliance officer, Paul Perez, in the breach notification letter. Beyond the email account hack, however, investigators say they have found no evidence that attackers penetrated Fidelity's internal network or systems.
Money Transfers Targeted
Perhaps predictably - for an attack that targeted a financial services firm - hackers were gunning for people's money. "Our third-party security expert has advised us that the apparent purpose of the attackers' activity was to obtain information about ongoing business transactions in order to redirect scheduled money transfers," Perez says.
"We have taken and will continue to take steps to reduce the likelihood of a similar occurrence," he adds. "As part of these efforts, we have implemented enhanced security measures with respect to our employees' e-mail accounts and provided information and training to our employees." The company is also offering affected customers free identity theft protection services for one year.
Fidelity did not immediately respond to a request for additional information.
In the wake of the breach notification, independent security expert Graham Cluley has raised questions about Fidelity National Financial's information security practices, given that attackers were able to access the firm's e-mail accounts using only a username and password. That suggests the financial services firm wasn't using additional levels of protection, he notes, despite the fact that it's an obvious target for cybercriminals.
"For instance, two-factor authentication would have meant that a one-time password would also have been required to log into the accounts," Cluley says, and would have blocked attackers from reusing the employee credentials they stole via phishing attacks. "Furthermore, some Web-accessible e-mail systems examine the IP address of the computer attempting to access the account, and if it is not recognized or in a different part of the world, ask for further means of authentication."