Cyber Incident Victim: Fidelity National Information Services, Inc.
Date:
Jun 2016
Location:
United States of America
Summary
A hacker exploiting a password reset vulnerability in a financial technology firm's client portal accessed and leaked internal invoices and contact information from a specific bank client. The attacker, who previously targeted other high-profile entities, claimed the company failed to respond to warnings, prompting threats to release additional compromised data. While the breach reportedly exposed sensitive client details, including employee credentials and billing records, the impacted organization did not publicly acknowledge the incident despite media inquiries. This event followed earlier security failures where fundamental vulnerabilities like default passwords persisted despite significant post-breach investments, with auditors previously identifying widespread unaddressed weaknesses in the company's systems.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 3 motives | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
In June 2016, a hacker using the alias 1×0123 claimed unauthorized access to Fidelity National Information Services, Inc. (FIS Global), a Fortune 500 financial technology firm serving over 20,000 clients globally. The attacker targeted FIS Global's client portal through a vulnerability that allowed password resets without knowledge of the original credentials. 1×0123 provided the Daily Dot with unredacted screenshots from the portal, including a Client Contacts screen and Client Invoices related exclusively to Guaranty Bank and Trust Company. These screenshots revealed employee names, email addresses, phone numbers, account numbers, and billing details. The hacker demonstrated successful password reset access for a Guaranty Bank vice president's account and shared an archive of dozens of recent invoices for the bank's services. FIS Global did not publicly acknowledge the breach or respond to 1×0123's tweets and private communications, prompting Twitter to suspend the hacker's account after he posted evidence. Although the vulnerability was reportedly patched by June 14, 1×0123 threatened to leak all downloaded invoices due to FIS's lack of response. The Daily Dot confirmed the compromised employee's identity through LinkedIn but received no callback from the bank's cybersecurity team. Forensic analysis of provided invoices indicated no exposure of customer personally identifiable information, and all disclosed materials pertained solely to Guaranty Bank.
This incident followed a 2011 breach where hackers exploited FIS Global's prepaid card network, manipulating withdrawal limits on 22 debit cards to steal $13 million via cloned cards. FIS initially reported the breach as limited to 7,000 cardholders' non-public information but later FDIC audits revealed broader network intrusions with additional compromised servers and malware instances undisclosed by the company. Examiners cited systemic failures, including routine use of blank/default passwords on production systems—a vulnerability that facilitated the 2011 attack. Despite FIS investing $100 million in security enhancements after the breach, the 2012 FDIC audit identified 18,747 unresolved network vulnerabilities and 291 overdue application vulnerabilities. Security journalist Brian Krebs highlighted FIS's failure to implement basic safeguards despite these expenditures. In the 2016 incident, FIS Global again provided no public statements or responses to media inquiries regarding the client portal breach, maintaining a pattern of limited disclosure observed in prior security events. The company's Twitter team and executive contacts ignored repeated requests for comment from the Daily Dot during both breaches.