Fidelity Brokerage fined $1.25m by Massachusetts regulator over 2024 data breach

The Massachusetts Secretary of the Commonwealth has issued a $1.25 million fine to Fidelity Brokerage Services for failing to prevent the breach of sensitive personal records of approximately 77,000 customers.

 

The Secretary of the Commonwealth William Gavin announced in a press release that the fine was issued in response to a significant data breach incident in August 2024 that involved a hacker breaking into Fidelity Brokerage’s systems and exfiltrating sensitive customer records.

 

The hacker took advantage of an IT vulnerability in the company’s online access controls that allowed logged-in customers to view and access the documents of other customers by manipulating the ten-digit image IDs displayed in the browser. Fidelity failed to notice or fix the security vulnerability before the data breach incident took place.

 

According to the Secretary of the Commonwealth, the hacker was able to access and copy sensitive customer records, including social security numbers, active credit card and financial account numbers, medical information, passports, driver’s licenses, and other personally identifiable information. The data breach incident impacted approximately 77,000 customers.

 

The Securities Division of the office of the Secretary of the Commonwealth issued the consent order after Fidelity Brokerage submitted an offer of settlement on April 22 where it committed to pay a fine without admitting any fault “in the public interest or for the protection of investors.”

 

“At the time of the data breach, Fidelity did not reasonably enforce its technical security policies designed to restrict users… to accessing only the images in the Document Image Repository that are associated with the user’s account,” the consent order reads.

 

“Any authenticated user, after logging into their Fidelity.com account and attempting to retrieve an image associated with their account, could take certain actions to ultimately see that the Image ID was composed of a ten digit string of numbers.”

 

The Secretary of the Commonwealth noted that even though Fidelity took steps to notify affected customers after the incident took place, it failed to inform many beneficiaries, including relatives and minor children of customers, that their data had been compromised during the incident.

 

Fidelity Brokerage Services is owned by Fidelity Investments, one of the largest asset managers in the world with over $5.9 trillion in assets under management and $15.1 trillion in assets under management as of 2024. Aside from offering brokerage services, Fidelity offers mutual funds, retirement services, investment advice, and wealth management and life insurance products.

 

Fidelity Investments is yet to issue a statement concerning the fine issued by the Secretary of the Commonwealth of Massachusetts.