Fidelity National employees hacked after targeted phishing attack

Graham Cluley
Graham Cluley
@[email protected]

Fidelity National employees hacked after targeted phishing attack

Your company’s defences against hackers are only as good as the weakest link.

That’s a message which hopefully is being understood loud and clear right now at Fidelity National Financial, America’s largest provider of commercial and residential mortgage services.

As SC Magazine reports, Fidelity National has just found itself in the awkward position of contacting an “undisclosed number of customers” who may have had their social security number, bank account details, payment card numbers and driver’s license details exposed to hackers following a recent security breach.

Sign up to our free newsletter.
Security news, advice, and tips.

It appears that attackers sent phishing emails to a small number of Fidelity National employees and managed to trick workers into entering their usernames and passwords, as is described in their notification letter to affected consumers:

In April 2014, certain of our employees were the subject of a targeted phishing attack. As a result of this phishing attack, the attackers obtained username and password information for a small number of our employee email accounts and logged into a subset of those accounts intermittently from April 14 through April 16, 2014. These email accounts are hosted by a recognized third-party service provider. Our investigation revealed no evidence that the attackers penetrated FNF’s internal network or systems. Upon learning of this attack, FNF promptly notified federal law enforcement and began an investigation. FNF worked with a third-party security expert to determine the scope of the attack.

According to the company, the email hackers broke into systems between April 14 and April 16 of this year, with the apparent intention of stealing “information about ongoing business transactions in order to redirect scheduled money transfers” rather than “to access or acquire large volumes of personal information.”

Phishing 300Nevertheless, it seems sensible for affected consumers to be on their guard against the risks of identity theft and fraud following the possible exposure of their personal information.

It’s good to hear that there is no evidence that Fidelity National’s own internal network wasn’t breached, but clearly some of its affected workers had information in their third-party email accounts, which could have put the personal information of at least some customers at risk.

Potentially, there might have been other company confidential information in those corporate email accounts, although that concern is not raised in Fidelity National’s notification letter.

What seems clear is that additional levels of protection should have been put in place on those email accounts to prevent unauthorised access from being possible with just a username and password.

For instance, two-factor authentication would have meant that a one-time-password would also have been required to log into the accounts. Furthermore, some web-accessible email systems examine the IP address of the computer attempting to access the account, and if it is not recognised or in a different part of the world, ask for further means of authentication.

Fidelity National says that it is putting measures in place to prevent successful attacks from reoccurring in the future, and that it will also be providing training to its employees.

That’s really the crux of the problem. People are the weak link in your organisation – you can have all the technology in the world to reduce the threat, but it will always be possible for one of your workers to make a poor choice, and accidentally hand over their password.

After all, this wasn’t a sophisticated attack involving malware or zero-day vulnerability exploitation. This, from the sound of things, was simple phishing.

Layered security can lower the risks, but never utterly eliminate it – so staff training has to be part of the mix.

Oh, and it might be worth remembering to always wipe any information that you no longer require in your email, especially if it might include sensitive personal data about your customers.

Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.