Asset manager Fidelity Investments has revealed that it suffered a breach in August that resulted in the personal data of over 77,000 customers being exposed. At the same time, Fidelity holds ISO 27001 information security management system certification from NQA, accredited by the ANSI National Accreditation Board (ANAB). NQA’s marketing of its ISO 27001 certifications suggests such breaches cannot happen under their watch.

According to reporting from TechCrunch:

The Boston, Mass.-based investment firm said in a filing with Maine’s attorney general on Wednesday that an unnamed third party accessed information from its systems between August 17 and August 19 “using two customer accounts that they had recently established.”

Fidelity confirmed that a total of 77,099 customers were affected by the breach, and its completed review of the compromised data determined that customers’ personal information was affected. It is not immediately clear how the creation of two Fidelity customer accounts allowed access to the data of thousands of other customers.

The financial giant hasn’t yet said what types of personal data were compromised, and no information about the breach was found on the company’s website at the time of writing.

The three NQA certifications appear to have been issued in October of this year, suggesting NQA performed their audit after the breaches occurred. This means either Fidelity kept the breaches secret from NQA, or NQA auditors did not uncover them during their audit. A third possibility is that NQA knew of the violations and issued the certificates regardless.

NQA Marketing at Odds

NQA’s marketing, however, suggests that its certification would make such breaches impossible. Per the NQA website (emphasis added):

Achieving accredited ISO 27001 certification shows that your company is dedicated to following the best practices of information security. Additionally, ISO 27001 certification provides you with an expert evaluation of whether your organization’s information is adequately protected.

The NQA site then touts the “benefits of ISO 27001 certification” as including (emphasis added):

  • Give customers confidence that their personal data/information is protected and confidentiality upheld at all times.
  • Ensure customer records, financial information and intellectual property are protected from loss, theft and damage through a systematic framework.

Fidelity also holds ISO 20000-1 certification from NQA for its service management system, which also requires some level of protection of confidential information and customer records.

NQA also awarded Fidelity an ISO 27701 certificate for “privacy management system certification.” Certification to the ISO 27701 standard is relatively new, and NQA claims their certification helps companies comply with the European data privacy laws known as “GDPR,” and the California equivalent known as “CCPA“:

Implementation of ISO 27701 can enhance privacy compliance and reduce the risk of the privacy regulation infractions by the organization, using an existing ISO management system approach. A Privacy Information Management System under ISO 27701 is a great way of demonstrating to customers, external stakeholders and internal stakeholders that effective systems are in place to support compliance to GDPR, CCPA and other related privacy legislation.

NQA then makes more claims about ISO 27701 certification, which appear at odds with the Fidelity breach:

At the same time, [ISO 27701] certification allows you to adhere to regional jurisdiction requirements. You can remain fully compliant on local and worldwide levels.

This certification holds your operations up to a rigorous standard that demonstrates the level of thoroughness and detail of your operations as you meet the highest requirements.

ANAB’s Bold Claims

NQA is accredited by ANAB to issue these certificates. ANAB is supposed to ensure that certification bodies such as NQA only issue certificates to companies that have proven their conformity with the standards and utilized a thorough independent process to do so. Despite this, ANAB has not de-accredited any certification body anywhere in the world in over eight years.

ANAB claims its accreditations are so trusted that they can be used in court to help defend a client, such as NQA, against claims made regarding possible violations.

Despite decades of evidence suggesting ANAB accreditation does little to ensure certification bodies like NQA comply with accreditation rules, ANAB has conducted a yearslong campaign insisting its mark “ensures” compliance and quality.

ISO 27001 Failures

Oxebridge has amassed evidence of over a decade of ISO 27001’s failure to match the marketing used to sell it. Despite this, accreditation bodies such as ANAB refuse to ensure that ISO 27001 certification bodies only issue certificates to companies that truly deserve them. More importantly, the bodies refuse to withdraw such certifications even after such companies are shown to have dysfunctional cybersecurity management controls.

  • In 2018, Equifax suffered a breach that affected more than 147 million Americans, all while holding an IS 27001 certificate issued by Ernst & Young’s ISO certification division, EY Certifypoint. Certifypoint was accredited by the Dutch accreditation body RvA.
  • In 2023, security vendor Okta announced it suffered a breach that affected “all” of its clients despite holding an ISO 27011 certificate from Schellmann, accredited by ANAB.
  • In 2023, San Francisco IT firm Airtable was found intentionally leaking children’s private information while holding ISO 27001 certification from Barr Certifications, also accredited by ANAB.
  • In 2020, NASA contractor DMI was hit with a cybersecurity attack while holding ISO 27001 from SRI, a certification body also accredited by ANAB.
  • In 2019, an ISO 27001 consulting firm, Synoptik, was hit with a cyber attack. The company des not appear to be ISO 27001 certified itself, but consults on ISO 27001 for others.
  • In 2019, the security company Prosegur was breached while holding ISO 27001, issued by the Spanish certification body AENOR.
  • In 2017, the certification body Alcumus ISOQAR, which issues ISO 27001 certificates, revealed it was breached due to a rudimentary phishing attack. ISOQAR is accredited in the UK by UKAS.

 

Advertisements
Aerospace Exports Inc

Why we report on these topics

Since 2000, Oxebridge has worked to improve ISO and related certification schemes by identifying problems and then proposing solutions. We report on issues affecting standards users because so few other news outlets do. Our belief is that in order to fix the problems in these schemes, we must first understand the nature and breadth of those problems. Our reporting aims to do just that. Elsewhere on the Oxebridge site you will find White Papers and other articles proposing ideas to correct these problems.