Fidelity will pay $1.25 million to settle allegations by Massachusetts Secretary of the Commonwealth William Galvin that it failed to protect clients’ private information during a 2024 data breach.
According to the consent order signed Monday, an “unidentified and unauthorized third party” accessed images of documents containing sensitive information of about 77,000 customers and individuals, about 2,768 of whom were based in the Bay State.
In some instances, the hackers accessed the private information of Massachusetts residents who weren’t Fidelity customers, including relatives of clients, beneficiaries and other people associated with the firm’s customer transactions, some of whom were children.
According to the order, the breach occurred between August 17-19, 2024, and the accessed data included Social Security, passport and driver’s licenses numbers, as well as financial account information, insurance and medical information, and scanned images of active credit cards.
Galvin claimed the hackers “exploited a vulnerability related to Fidelity’s access controls” by logging into the firm’s website as an authenticated user through brokerage accounts that had been previously opened. Once in, the criminals accessed a “document image retrieval function” and went “fishing” for those associated with other customer accounts.
During the time, the hackers allegedly made about 23.7 million calls for images, likely using an automated script. While most attempts failed, they did access about 373,000 “unique” document images associated with Fidelity clients’ accounts.
According to Galvin, Fidelity notified affected customers after the data breach, but failed to notify beneficiaries and other affected individuals that their data had been compromised.
According to a Fidelity spokesperson, the firm “immediately” terminated the hacker’s access after learning of the breach, launched an investigation “with assistance from external security experts” and alerted law enforcement. The spokesperson said the incident didn’t involve access to Fidelity customers’ accounts or funds.
“We reached out to the impacted customers in accordance with applicable laws and notified appropriate regulators. In the nearly two years since the incident, we have no evidence that identity theft or fraud occurred because of this incident,” the spokesperson said. “ We remain fully committed to the security of our clients’ accounts and personal information, and we continue to provide resources to impacted clients so they may take steps to further protect themselves.”
The spokesperson also said the firm offered a Customer Protection Guarantee that reimburses clients for losses from “unauthorized activity” in covered accounts.
Fidelity didn’t admit or deny the findings as part of the settlement, but did agree to hire an “independent cybersecurity consultant,” ensure its cyber controls have been changed and pledged to notify all Massachusetts residents affected by the breach who hadn’t previously been notified.
Fidelity’s settlement with Massachusetts comes several days after LPL Financial revealed a data breach to Maine’s Attorney General, in which cybercriminals used advisors’ devices to access client accounts, leading to “unauthorized securities transactions and financial transfers” (the breach apparently occurred in November of last year).
It’s the latest in a growing number of financial services firms to suffer data breaches; many of the details of these alleged hacks were revealed in class action suits brought by clients accusing the firms of failing to protect their private data from cybercriminals.
Firms in the crosshairs of hackers and class-action complaints include Cetera Financial, Ameriprise, Hightower Advisors, Mercer Advisors, Edelman Financial Engines, Beacon Pointe Advisors and Pathstone Family Office, among others
