By Kenneth Corbin
Fidelity Investments has agreed to pay $1.25 million to Massachusetts regulators to settle allegations that lax data security protocols enabled a 2024 data breach that exposed personal information of 77,000 customers and individuals. Secretary of the Commonwealth William Galvin, Massachusetts' top securities regulator, also accused Fidelity of failing to notify the nonclient individuals whose information was allegedly compromised in the incident.
Fidelity agreed to the fine in a consent order filed on Monday without admitting or denying wrongdoing. A spokesman acknowledged that the breach occurred and said the firm acted quickly to limit the damage, notify law enforcement, and open an investigation.
"Fidelity takes its responsibility to serve customers and safeguard them and their information seriously," the spokesman says. "Fidelity detected the activity and immediately took steps to terminate access and remediate the issue."
Database breach. The incident involved Fidelity Brokerage Services, which Galvin's office accused of failing to enforce its own cybersecurity protocols relating to an internal database of document images, allowing customers to view materials associated with other investors' accounts, and, in August 2024, enabling an unauthorized third party to gain access to the sensitive material.
The documents that were allegedly compromised over a three-day period included Social Security numbers, credit card and other financial account numbers, medical information, and other sensitive information. The breach allegedly extended beyond Fidelity's clients to their relatives and beneficiaries, including minors.
Constant threat. The settlement is the latest reminder that large wealth management firms are under more or less constant threat from hackers looking to gain access to sensitive client or corporate information. Recent breaches have targeted firms such as Betterment, Mercer Global Advisors, Beacon Pointe, and Ameriprise Financial, though that list is far from exhaustive.
Galvin's office says that Fidelity notified its customers of the breach but didn't send word to the relatives and other noncustomers whose information was compromised.
Fidelity says the breach affected only a "small subset of customers" and didn't enable intruders to access clients' accounts or funds.
"We reached out to the impacted customers in accordance with applicable laws and notified appropriate regulators," the spokesman says. "In the nearly two years since the incident, we have no evidence that identity theft or fraud occurred because of this incident."
The spokesman also noted Fidelity's customer protection guarantee, which reimburses clients for losses incurred through unauthorized access to certain account types, including brokerage and 401(k) accounts.
In addition to the fine, Fidelity agreed to retain an outside cybersecurity consultant, certify that it has enhanced its security protocols, and notify any Massachusetts residents whose information was exposed in the breach but weren't already contacted.
Write to advisor.editors@barrons.com
This content was created by Barron's, which is operated by Dow Jones & Co. Barron's is published independently from Dow Jones Newswires and The Wall Street Journal.
(END) Dow Jones Newswires
April 28, 2026 14:19 ET (18:19 GMT)
Copyright (c) 2026 Dow Jones & Company, Inc.
Comments