Add Fidelity Brokerage Services to the list of big firms that have recently faced cyberattacks by bad actors in order to glean clients’ private information, this time including passport and driver’s license information.
Secretary of the Commonwealth of Massachusetts William Galvin on Monday said his office had issued a $1.25 million fine against Fidelity Brokerage Services, after the Massachusetts broker-dealer’s failure to enforce appropriate cybersecurity controls allowed a data breach affecting approximately 77,000 customers.
According to a consent order, “Fidelity’s insufficient enforcement of its own cybersecurity protocols allowed a bad actor, over a three-day period in August 2024, to access images of documents containing social security numbers, active credit card and financial account numbers, medical information” and other personally identifiable information, according to a statement form Galvin’s office.
A number of large financial advice firms over the past several years have reported data breaches affecting clients’ private information.
InvestmentNews reported last week that, for the second time in the past few months, LPL Financial and Ameriprise Financial were flagged by the state of Maine for client information snafus.
“Fidelity takes its responsibility to serve customers and safeguard them and their information seriously,” a Fidelity spokesperson wrote in an email Monday morning.
“Between August 17 and 19, 2024, a third party accessed and obtained certain information from a Fidelity database without authorization,” according to the spokesperson. “Fidelity detected the activity and immediately took steps to terminate access and remediate the issue.”
“The incident did not involve any access to Fidelity customers’ accounts or funds,” the spokesperson wrote. “We reached out to the impacted customers in accordance with applicable laws and notified appropriate regulators. In the nearly two years since the incident, we have no evidence that identity theft or fraud occurred because of this incident."
According to the consent order, the documents accessed in the data breach contained not only the information of existing Fidelity customers, but also that of beneficiaries and relatives, some of whom were minors.
While Fidelity took steps after the data breach to notify affected customers, the company failed to notify the beneficiaries and others that their personal information had been compromised, according to the order.
The breach occurred when a bad actor exploited a vulnerability in Fidelity’s online access controls that allowed any Fidelity customer to access the documents of another customer, according to the order.
By manipulating the ten digit “Image ID” displayed in the browser when accessing the customer’s own documents, the customer could access other users’ documents as well.
“At the time of the data breach, Fidelity did not reasonably enforce its technical security policies designed to restrict users… to accessing only the images in the Document Image Repository that are associated with the user’s account,” according to the consent order.
“Any authenticated user, after logging into their Fidelity.com account and attempting to retrieve an image associated with their account, could take certain actions to ultimately see that the Image ID was composed of a ten digit string of numbers,” according to the order.
New BEAT Study data reveals half of workers made financial tradeoffs after medical premium hikes, with Gen Z hardest hit
Dynasty Financial Partners is formalizing its consulting arm as it moves to acquire a 46-year-old branding and marketing firm to serve independent RIAs.
Firms announce recruits in Pennsylvania and Ohio as advisors head for new opportunities.
The first instinct of a surviving spouse is often to act fast. The advisor's job is to pump the brakes and hold the course
Utah RIA with $3.3B in AUM teams with WPCG and HGGC's Aspire Holdings platform in deal expected to close this month.
As $84 trillion prepares to change hands, advisors who treat estate planning as peripheral are quietly building a sieve, not a book.
In volatile markets, the advisors who win aren't the ones with the best calls - they're the ones whose clients stay the course.
