Fidelity to pay $1.25 million over 2024 data breach affecting 77,000 customers

Fidelity Brokerage Services, a major U.S.-based financial services firm, will pay $1.25 million to resolve regulatory allegations stemming from a 2024 data breach that exposed sensitive personal information of approximately 77,000 customers and related individuals, Massachusetts officials confirmed Monday.

The settlement follows an August 2024 incident in which an unauthorized third party accessed documents containing Social Security numbers, financial account details, medical information and other sensitive data. The breach occurred over a three-day period from Aug. 17 to Aug. 19, when attackers exploited weaknesses in Fidelity’s internal access controls.

Investigators determined that the intruders logged into brokerage accounts as authenticated users and manipulated a document identification system to retrieve files associated with other customers. The attackers used automated methods to generate roughly 23.7 million requests for document images, ultimately accessing about 373,000 unique records tied to client accounts.

The compromised data included Social Security numbers, passport and driver’s license details, financial account information, insurance and medical records, and scanned images of active credit cards. In some cases, the breach also exposed information belonging to individuals who were not Fidelity customers, including beneficiaries, relatives and minors connected to customer accounts.

Regulators found that gaps in Fidelity’s cybersecurity controls allowed users to view documents that were not their own, raising concerns about the firm’s data protection practices. Officials also identified shortcomings in the company’s response, noting that while many affected customers were notified, some individuals whose data had been compromised were not initially informed.

Under the terms of the agreement, Fidelity will hire an independent cybersecurity consultant, strengthen its data protection systems and certify improvements to its internal controls. The firm must also identify and notify any Massachusetts residents affected by the breach who were not previously alerted, including non-customers whose data was exposed.

Fidelity did not admit or deny the findings as part of the settlement. The company stated that it terminated unauthorized access promptly after detecting the breach, launched an investigation with external cybersecurity experts and notified law enforcement.

The firm indicated that the incident did not involve unauthorized access to customer accounts or funds and that no evidence of identity theft or fraud linked to the breach has been identified to date.