Add Fidelity Brokerage Services to the list of big firms that have recently faced cyberattacks by bad actors in order to glean clients’ private information, this time including passport and driver’s license information.
Secretary of the Commonwealth of Massachusetts William Galvin on Monday said his office had issued a $1.25 million fine against Fidelity Brokerage Services, after the Massachusetts broker-dealer’s failure to enforce appropriate cybersecurity controls allowed a data breach affecting approximately 77,000 customers.
According to a consent order, “Fidelity’s insufficient enforcement of its own cybersecurity protocols allowed a bad actor, over a three-day period in August 2024, to access images of documents containing social security numbers, active credit card and financial account numbers, medical information” and other personally identifiable information, according to a statement form Galvin’s office.
A number of large financial advice firms over the past several years have reported data breaches affecting clients’ private information.
InvestmentNews reported last week that, for the second time in the past few months, LPL Financial and Ameriprise Financial were flagged by the state of Maine for client information snafus.
“Fidelity takes its responsibility to serve customers and safeguard them and their information seriously,” a Fidelity spokesperson wrote in an email Monday morning.
“Between August 17 and 19, 2024, a third party accessed and obtained certain information from a Fidelity database without authorization,” according to the spokesperson. “Fidelity detected the activity and immediately took steps to terminate access and remediate the issue.”
“The incident did not involve any access to Fidelity customers’ accounts or funds,” the spokesperson wrote. “We reached out to the impacted customers in accordance with applicable laws and notified appropriate regulators. In the nearly two years since the incident, we have no evidence that identity theft or fraud occurred because of this incident."
According to the consent order, the documents accessed in the data breach contained not only the information of existing Fidelity customers, but also that of beneficiaries and relatives, some of whom were minors.
While Fidelity took steps after the data breach to notify affected customers, the company failed to notify the beneficiaries and others that their personal information had been compromised, according to the order.
The breach occurred when a bad actor exploited a vulnerability in Fidelity’s online access controls that allowed any Fidelity customer to access the documents of another customer, according to the order.
By manipulating the ten digit “Image ID” displayed in the browser when accessing the customer’s own documents, the customer could access other users’ documents as well.
“At the time of the data breach, Fidelity did not reasonably enforce its technical security policies designed to restrict users… to accessing only the images in the Document Image Repository that are associated with the user’s account,” according to the consent order.
“Any authenticated user, after logging into their Fidelity.com account and attempting to retrieve an image associated with their account, could take certain actions to ultimately see that the Image ID was composed of a ten digit string of numbers,” according to the order.
Choice anxiety, prestige bias, and the temptation to make selections based on outsourced confidence are just some of the parallels between investing and the world of wine tasting.
Regulators found Bank of America's monitoring software had a known flaw Merrill left uncorrected for years.
While AI has become a go-to research tool for affluent investors, new HSBC research suggests human advisors remain the deciding voice when investment decisions are made.
A 5-4 ruling preserves the Federal Reserve's independence for now, but the legal fight over presidential removal power is far from settled.
For years, large firms have been facing penalties and questions from regulators over interest rates for clients’ cash accounts.
Dan Biagini of American Equity says the steady decline of pensions, longer lifespans and a reset in interest rates are rewriting how advisors build retirement income
Direct indexing is on pace to outgrow ETFs and mutual funds. Northern Trust's Ken Lassner explains why the advisors who get it wish they had started sooner.
