According to Massachusetts Commonwealth Secretary William Galvin, the firm failed to protect customer data during the breach in which private information for thousands of clients and others (including minors) was accessed.
Fidelity Investments has agreed to pay $1.25 million to settle allegations brought by Massachusetts Secretary of the Commonwealth William Galvin over its handling of a 2024 data breach that exposed sensitive customer information. The settlement follows an investigation into claims that the firm failed to adequately safeguard personal data and did not notify all affected individuals.
According to the consent order, an unidentified and unauthorized third party accessed document images containing sensitive information belonging to approximately 77,000 customers and related individuals. Of these, around 2,768 were residents of Massachusetts. The breach also impacted non-customers, including beneficiaries, relatives, and other individuals linked to client accounts – some of whom were minors.
The incident occurred between August 17 and 19, 2024, and involved highly sensitive data such as Social Security numbers, passport and driver’s license details, financial account information, insurance records, medical data, and scanned images of active credit cards. Regulators stated that the attackers exploited a vulnerability in Fidelity’s access control systems by logging in through previously established brokerage accounts.
Once authenticated, the attackers leveraged a document image retrieval function to access files associated with other customer accounts. Investigators found that the perpetrators executed approximately 23.7 million automated requests in an apparent attempt to harvest data at scale. While most attempts were unsuccessful, the hackers managed to access around 373,000 unique document images.
William Galvin alleged that Fidelity failed to fully notify all affected individuals, particularly beneficiaries and others indirectly linked to compromised accounts. While the firm did inform its customers, the omission of additional impacted parties raised concerns about transparency and compliance with notification requirements.
A spokesperson for Fidelity stated that the company acted immediately upon discovering the breach by terminating unauthorized access, launching an internal investigation with external cybersecurity experts, and notifying law enforcement authorities. The firm also emphasized that the incident did not involve direct access to customer accounts or financial assets.
“We contacted the affected consumers in compliance with applicable regulations and alerted the appropriate regulators,” the representative said, adding that there has been no indication of identity theft or fraud as a result of the breach in the time since it occurred. Fidelity also underlined its commitment to client security and highlighted its Customer Protection Guarantee, which reimburses damages caused by fraudulent activity in insured accounts.
As part of the settlement, Fidelity neither admitted nor denied the findings but agreed to implement corrective measures. These include hiring an independent cybersecurity consultant, enhancing its internal security controls, and ensuring that all affected Massachusetts residents – including those not previously notified – are informed of the breach.
The settlement comes amid a broader wave of cybersecurity incidents across the financial services sector. In a related development, LPL Financial recently disclosed a separate data breach involving unauthorized access through advisors’ devices, which resulted in unauthorized transactions and financial transfers.
The Fidelity case underscores increasing regulatory scrutiny on financial institutions as cyber threats continue to evolve. With sensitive financial and personal data at stake, firms are facing mounting pressure to strengthen cybersecurity defenses, improve access controls, and ensure timely and comprehensive breach disclosures.
Recommended Cyber Technology News :
- Utimaco Joins VAST Cosmos To Secure AI Data
- Veolia Amazon Develop Eco-Friendly Cooling for Data Centers
- Udemy Data Breach, 1.4M Records Allegedly Exposed
To participate in our interviews, please write to our CyberTech Media Room at info@intentamplify.com
