Fidelity Hit With $1.25M Fine Over Data Breach

On April 22, Fidelity submitted an Offer of Settlement but neither admitted nor denied Galvin's order.

In mid-March, Fidelity agreed to pay $2.5 million to settle a class action lawsuit over the 2024 data breach. A U.S. district judge in Massachusetts last week preliminarily approved the settlement, in which Fidelity agreed to establish a fund and to set up or keep enhanced business practices.

Galvin also ordered Fidelity to engage an independent cybersecurity consultant, certify that cybersecurity controls related to customer data have been changed and enhanced, and to identify and notify all Massachusetts residents whose personal information was exposed in the data breach and who were not previously notified.

Order Details

"Fidelity failed to enforce certain cybersecurity controls necessary to restrict unauthorized access by customers to images of documents associated with other customer accounts within an internal database," Galvin's Enforcement Division concluded.

As a result, an unidentified and unauthorized third party accessed and obtained images of documents bearing sensitive information, including personally identifiable information.

"Fidelity's insufficient enforcement of its own cybersecurity protocols allowed a bad actor, over a three-day period in August 2024, to access images of documents containing Social Security numbers, active credit card and financial account numbers, medical information, passports, driver's licenses, and other personally identifiable information," the consent order states.

The documents accessed in the data breach contained not only the information of existing Fidelity customers, but also that of beneficiaries and relatives, some of whom were minors.

"While Fidelity took steps after the data breach to notify affected customers, the company failed to notify the beneficiaries and others that their personal information had been compromised," Galvin's order states.

The breach occurred when a bad actor exploited a vulnerability in Fidelity's online access controls that allowed any Fidelity customer to access the documents of another customer, the order continues.

"By manipulating the ten digit 'Image ID' displayed in the browser when accessing the customer's own documents, the customer could access other users' documents as well," the order states.

"At the time of the data breach, Fidelity did not reasonably enforce its technical security policies designed to restrict users ... to accessing only the images in the Document Image Repository that are associated with the user's account," the consent order states.

"Any authenticated user, after logging into their Fidelity.com account and attempting to retrieve an image associated with their account, could take certain actions to ultimately see that the Image ID was composed of a ten digit string of numbers," the order said.

Fidelity Responds

In a statement to ThinkAdvisor on Monday, Fidelity said that "between August 17 and 19, 2024, a third party accessed and obtained certain information from a Fidelity database without authorization. Fidelity detected the activity and immediately took steps to terminate access and remediate the issue. An investigation was promptly launched with assistance from external security experts, and we promptly notified law enforcement.

"Through the investigation, Fidelity learned that a third party accessed and obtained images of certain documents bearing information of a small subset of customers. The incident did not involve any access to Fidelity customers' accounts or funds. We reached out to the impacted customers in accordance with applicable laws and notified appropriate regulators. In the nearly two years since the incident, we have no evidence that identity theft or fraud occurred because of this incident."

Credit: Shutterstock