Fidelity National Financial has been contacting an "undisclosed number of individuals", notifying them that a selection of personal data may have been exposed after some of the Fortune 500 company's employees had their email accounts targeted by a phishing campaign, SC Magazine reports.
The personal information includes Social Security numbers, bank account numbers, driver's license numbers and payment card numbers, but at this stage Fidelity National Financial (FNF) has not revealed how many individuals may have been exposed in the breach, which was caused by a phishing campaign that targeted a 'small number of employee's' email accounts.
Federal law enforcers have been informed, and a third-party security expert has been brought in to scope out the nature and extent of the attack. Steps have also been put in place to stop similar events occurring in the future, including enhanced security on email accounts and information and training available to employees.
The attacks took place between April 14 and April 16, but there was no evidence to suggest FNF's internal network or systems were breached, as email accounts were hosted on a third party server, and no suggestion that attackers were able to access personal information. The letter to potentially affected customers went out on September 23, and offers a little more explanation about the nature of the attack. Writing to customers, Paul Perez, the chief compliance officer at FNF writes: "Our third-party security expert has advised us that the apparent purpose of the attackers' activity was to obtain information about ongoing business transactions in order to redirect scheduled money transfers."
"The third-party security expert has further advised us that the attackers' behavior was not designed to access or acquire large volumes of personal information," he continued. "As a result of this information from our third-party security expert, we believe the risk to you associated with the incident is low," he concluded.
FNF will be offering a year's worth of free identity protection to affected customers in the wake of the lapse, VPN Creative reports.