Galvin Fines Fidelity $1.25 Million Over Data Breach Impacting Massachusetts Residents

Secretary of the Commonwealth William F. Galvin has issued $1.25 million fine against Fidelity Brokerage Services, after the Massachusetts broker-dealer’s failure to enforce appropriate cybersecurity controls allowed a data breach affecting approximately 77,000 customers. After learning of the breach, Fidelity also failed to notify many impacted residents, including the relatives and minor children of Fidelity customers.

According to a consent order filed with Galvin’s Securities Division today, Fidelity’s insufficient enforcement of its own cybersecurity protocols allowed a bad actor, over a three-day period in August 2024, to access images of documents containing social security numbers, active credit card and financial account numbers, medical information, passports, driver’s licenses, and other personally identifiable information. 

The documents accessed in the data breach contained not only the information of existing Fidelity customers, but also that of beneficiaries and relatives, some of whom were minors. While Fidelity took steps after the data breach to notify affected customers, the company failed to notify the beneficiaries and others that their personal information had been compromised.

As explained in the consent order, the breach occurred when a bad actor exploited a vulnerability in Fidelity’s online access controls that allowed any Fidelity customer to access the documents of another customer. By manipulating the ten digit “Image ID” displayed in the browser when accessing the customer’s own documents, the customer could access other users’ documents as well.

“At the time of the data breach, Fidelity did not reasonably enforce its technical security policies designed to restrict users… to accessing only the images in the Document Image Repository that are associated with the user’s account,” the consent order states.

“Any authenticated user, after logging into their Fidelity.com account and attempting to retrieve an image associated with their account, could take certain actions to ultimately see that the Image ID was composed of a ten digit string of numbers,” the order continues.

In addition to paying the $1.25 million administrative fine, the Division has ordered Fidelity to engage an independent cybersecurity consultant, certify that cybersecurity controls related to customer data have been changed and enhanced, and to identify and notify all Massachusetts residents whose personal information was exposed in the data breach and who were not previously notified.