Fidelity Agrees to $1.25M Settlement After 2024 Breach Exposed 77K Records

Massachusetts Secretary of the Commonwealth William Galvin announced the $1.25 million settlement with Fidelity related to a data breach occurring in 2024. The firm faced allegations of inadequate protection for private information belonging to thousands of clients and other individuals. Fidelity did not admit or deny the findings as part of the agreement.

An unidentified, unauthorized third party accessed document images containing sensitive data between August 17 and 19, 2024. Threat actors exploited a vulnerability tied to Fidelity’s access controls, leveraging previously opened brokerage accounts to log into the website. From this authenticated state, they used a document image retrieval function to access associated records.

During the incident, hackers attempted roughly 23.7 million image retrieval calls, successfully accessing about 373,000 unique document images. The exposed data included Social Security, passport, and driver’s license numbers, along with financial account, insurance, and medical information, and scanned images of active credit cards. Impacted individuals numbered approximately 77,000, including 2,768 Massachusetts residents. This scope extended beyond direct customers to relatives, beneficiaries, and even minors associated with client transactions.

Fidelity immediately terminated the unauthorized access and launched an investigation with external security experts, also alerting law enforcement. The firm stated no evidence of identity theft or fraud has emerged in the nearly two years since the incident. Fidelity notified affected customers and regulators but initially failed to notify all impacted individuals, a point addressed in the settlement requiring broader notification for Massachusetts residents.

This settlement highlights the critical importance of robust access control mechanisms and comprehensive data inventory for all organizations. The exploitation of an existing authenticated state to bypass further access restrictions on a document retrieval function points to a potential Insecure Direct Object Reference (IDOR) vulnerability, a common web application flaw. Such a vulnerability allows attackers to access resources they are not authorized to view by manipulating identifiers, potentially aligning with MITRE ATT&CK T1598.003 (Phishing: Spearphishing via Service) or T1078 (Valid Accounts) in combination with an application exploit.

Organizations must prioritize stringent access control implementation, ensuring authorization checks are performed at every data access point, not just at initial authentication. Regular security audits, penetration testing focused on authorization flaws, and secure code reviews are essential for identifying and remediating such vulnerabilities. Furthermore, incident response plans must account for a broad spectrum of affected parties, including non-customers whose data might reside within organizational systems. Implementing robust logging and real-time anomaly detection for high-volume data requests can also provide early warning of similar attacks.

The financial services sector continues to face intense scrutiny regarding data protection. Organizations should expect continued regulatory pressure to enhance cybersecurity postures and ensure comprehensive notification protocols. Focus will remain on secure application development and exhaustive data mapping to identify all potentially exposed information.