Fidelity to Pay $1.25M to Settle Massachusetts Claims From 2024 Data Breach

Fidelity Brokerage Services will pay $1.25 million to resolve allegations by Massachusetts regulators that it failed to adequately safeguard customer data, allowing an alleged 2024 breach that exposed sensitive personal information of thousands of clients and related individuals.

The settlement, announced Monday by William Galvin, secretary of the commonwealth of Massachusetts, stems from an August 2024 data breach in which a third party gained unauthorized access to documents containing highly sensitive data, including Social Security numbers, financial account details and medical information.

According to regulators, the breach affected approximately 77,000 customers and was made possible by weaknesses in Fidelity’s internal cybersecurity controls, which allowed users to access documents that were not their own. The vulnerability involved manipulation of a document identification system, enabling unauthorized viewing of other customers’ records over a three-day period.

Data breaches have become exceedingly familiar, especially for financial firms. Earlier this month, OneDigital warned clients of a Salesforce data breach affecting more than 25,000 customers, and Allianz Life experienced a breach in July 2025, to name two.

In addition to the financial penalty, the settlement requires Fidelity to hire an independent cybersecurity consultant and to certify that it has strengthened its data-protection systems. The firm must also identify and notify any Massachusetts residents affected by the breach who were not previously informed, including beneficiaries, relatives and minors whose information may have been compromised.

State officials stated that while Fidelity notified many customers, it failed to alert others whose data had been exposed, raising concerns about gaps in the company’s response after discovering the breach.

Fidelity did not admit or deny the findings as part of the agreement.

The regulatory action comes as financial firms face increasing scrutiny over cybersecurity practices amid a rise in attacks targeting sensitive client data. Fidelity has also agreed separately to pay $2.5 million to settle a consolidated class action lawsuit related to the same incident.

A Fidelity spokesperson said that “in the nearly two years since the incident, we have no evidence that identity theft or fraud occurred because of this Incident.”