Fidelity Settles Massachusetts Data Breach Case for $1.25 Million

In August 17‑19 2024, an unidentified third party used previously opened brokerage accounts to log into Fidelity’s website as an authenticated user. The attackers exploited a weakness in the firm’s access controls, then abused a document image retrieval function to “fish” for files linked to other customer accounts.

The attackers made about 23.7 million requests for document images, successfully retrieving roughly 373,000 unique files. Exposed data included Social Security, passport, and driver’s license numbers, financial account information, insurance and medical details, and scanned images of active credit cards. Approximately 77,000 individuals were affected, of whom 2,768 were Massachusetts residents; some were relatives, beneficiaries, or minors who were not direct Fidelity customers. Fidelity notified affected customers and regulators but did not initially inform beneficiaries or other impacted individuals. A spokesperson said there is no evidence of identity theft or fraud stemming from the breach.

The settlement requires Fidelity to hire an independent cybersecurity consultant, verify that its cyber controls have been changed, and pledge to notify all Massachusetts residents whose data was exposed but who had not previously received notice. The case highlights how attackers can leverage valid credentials to pivot from account access to bulk data exfiltration.

Security teams should enforce least‑privilege access and require multi‑factor authentication for all web‑facing applications. Monitor for anomalous volumes of document‑retrieval API calls (MITRE ATT&CK T1078 – Valid Accounts, T1110 – Brute Force) and implement rate limiting or CAPTCHA controls on sensitive functions. Regularly review and retire dormant brokerage or customer accounts that could be reused for credential‑based attacks. Deploy logging that flags spikes in unique object requests and configure alerts for access patterns consistent with “fishing” behavior (T1041 – Exfiltration Over Command and Control).