Suppose by logging in, a customer can retrieve a certain document pertaining to the customer itself. The system hosting the documents checked it was a logged in user but it didn't check the requested document id belongs to that user. Thus the hackers could retrieve another customer's document by altering the document id or account number in the request. The other customers' accounts weren't accessed but their documents were retrieved.In another data breach notice filed with New Hampshire’s attorney general, Fidelity revealed that the third party “accessed and retrieved certain documents related to Fidelity customers and other individuals by submitting fraudulent requests to an internal database that housed images of documents pertaining to Fidelity customers.”
Statistics: Posted by tfb — Fri Oct 11, 2024 9:12 pm — Replies 22 — Views 2929