April 28, 2026
What Happened?
Fidelity Brokerage Services has agreed to pay $1.25 million after it failed to enforce “appropriate cybersecurity controls” in 2024, leading to a significant data breach affecting approximately 77,000 customers, according to an announcement by Secretary of the Commonwealth of Massachusetts William Galvin on April 27.
The announcement cited a consent order filed with Galvin’s Securities Division, which asserted that “Fidelity’s insufficient enforcement of its own cybersecurity protocols allowed a bad actor, over a three-day period in August 2024, to access images of documents containing social security numbers, active credit card and financial account numbers, medical information, passports, driver’s licenses, and other personally identifiable information.” The documents accessed in the data breach not only contained information on Fidelity customers, but also of beneficiaries and relatives.
The breach occurred when a bad actor exploited a vulnerability in Fidelity’s online access controls, which allowed any Fidelity customer to access the documents of another customer. The bad actor was able to manipulate a ten-digit “Image ID” displayed in the browser when accessing the customer’s own documents, allowing them to access other users’ documents as well.
In addition to paying the fine, the Division also ordered Fidelity to engage an independent cybersecurity consultant, certify that cybersecurity controls related to customer data have been changed and enhanced, and to identify and notify all Massachusetts residents whose personal information was exposed in the data breach and who were not previously notified.
What Does This Mean for Me?
In addition to SEC requirements, such as Amended Regulation S-P, this demonstrates that states can have the same expectations with regards to cybersecurity. In addition to ensuring cybersecurity safeguards, financial institutions that maintain access to sensitive client information must not only have proper processes and procedures in place—they must also demonstrate that they are putting them into practice. Failure to do so can result in fines, such as this one.
Our Cyber Solutions team helps advisers build and maintain robust cybersecurity programs, including routine maintenance, testing, and training, to ensure proper procedures are in place and that they are put into practice. If you have questions or if you need assistance, let us know. We’re here to help.
