Fidelity Investments, one of the largest US mutual fund companies, was one of 13 financial institutions attacked by hackers, who are believed to be the same group that stole customer information from JPMorgan Chase, according to two people familiar with the matter.
The breadth and sophistication of the attack has concerned US officials. Fidelity is home to thousands of American retirees' accounts, although, unlike in the JPMorgan incident, there is no indication that customer data were stolen.
Last Thursday, JPMorgan, the biggest US bank by assets, said the names, addresses, telephone numbers and emails of 76m households had been compromised by a cyber attack, making it one of the largest such thefts on record.
The US Secret Service and Federal Bureau of Investigation are leading an investigation into the attacks, which are now believed to involve more than a dozen targets.
People familiar with the matter said not all the institutions' security infrastructure was breached. JPMorgan is the only company to have confirmed that information was stolen.
"We have no indication that any Fidelity customer sites, accounts, information, services or systems were affected by this matter," said a Fidelity spokesman.
"We take security very seriously and closely monitor the online environment. Fidelity has a range of safeguards and multiple layers of security in place to protect customer accounts and information, our sites, and systems. For security reasons, some of these protections are visible, some are not. Beyond that, for security reasons, it's our practice not to comment on details of specific matters," the spokesman said.
In a sign of the effort to counter an onslaught of cyber attacks from criminals and foreign states, financial services companies are recruiting large numbers of IT security staff.
In September, Fidelity advertised for a senior "cyber incident response forensics and malware analyst" to "defend the network" and work on "detection, response, and mitigation of cyber incidents."
JPMorgan has also said there was "no evidence" that account information or social security numbers were accessed. People familiar with the matter said the attack emanated from Russia.
—Additional reporting by Stephen Foley and Camilla Hall in New York