Industry - Enforcement
Executive Summary
Fidelity Brokerage Services was fined $1.25 million by Massachusetts regulators after a three-day cyberattack in August 2024 exposed personal information of approximately 77,000 customers, including Social Security numbers, passport and driver's license images, and medical data. The breach occurred when an attacker exploited a vulnerability in Fidelity's online access controls that allowed manipulation of document identifiers to view other customers' files. Fidelity failed to notify affected ...
What Happened
Between August 17-19, 2024, a cyberattacker exploited a vulnerability in Fidelity Brokerage Services' online document access system by manipulating ten-digit image identifiers in web browsers to view other customers' files. The three-day breach exposed personal information of approximately 77,000 individuals, including Social Security numbers, active credit card and financial account numbers, passport and driver's license images, and medical information. On April 27, 2026, Massachusetts Secretary of the Commonwealth William Galvin fined Fidelity $1.25 million for failing to enforce appropriate cybersecurity controls and for not notifying all affected parties, including beneficiaries and relatives whose information was compromised.
Who Is Affected
Approximately 77,000 customers nationwide were affected, including at least 2,768 individuals in Massachusetts. The breach also exposed personal information of beneficiaries and relatives of Fidelity customers, some of whom were minors, though Fidelity failed to notify these secondary victims. Customer financial accounts and funds were not directly accessed during the incident.
Why It Matters
This breach demonstrates how basic access control failures at major financial institutions can expose highly sensitive personal and medical data for thousands of customers over multiple days before detection. The regulatory action underscores that firms have legal obligations to notify all individuals whose data is compromised, not just direct customers, and that insufficient enforcement of existing cybersecurity protocols can result in significant penalties. The incident adds to a growing pattern of data breaches at large financial advice firms affecting client privacy.
What You Should Do
If you are a Fidelity customer or beneficiary of a Fidelity account and were contacted about this breach, monitor your credit reports, bank statements, and medical records for unauthorized activity. Place a fraud alert or credit freeze with the major credit bureaus if you have not already done so. If you believe your information may have been exposed but were not notified by Fidelity, contact them directly to confirm whether your data was included in the breach and request details about what specific information was accessed.
Summary generated from verified sources and reviewed before publication. How we summarize.