Fidelity Investments has agreed to pay $1.25 million to resolve allegations brought by William Galvin following a 2024 data breach that exposed sensitive personal information tied to tens of thousands of individuals. The settlement underscores persistent cybersecurity vulnerabilities across wealth management platforms and the regulatory scrutiny facing firms that fail to adequately safeguard client data.
Under the terms of the consent order, an “unidentified and unauthorized third party” gained access to document images containing confidential information associated with approximately 77,000 customers and related individuals. Of those, roughly 2,768 were Massachusetts residents. Notably, the compromised data extended beyond direct clients to include beneficiaries, relatives, and other individuals connected to client accounts—some of whom were minors—highlighting the broader data exposure risk embedded in advisory relationships.
The breach occurred over a three-day period from August 17 to August 19, 2024. During that time, attackers accessed highly sensitive information, including Social Security numbers, passport and driver’s license details, financial account data, insurance records, medical information, and scanned images of active credit cards. For RIAs and wealth advisors, the breadth of exposed data serves as a reminder that client records often aggregate multiple layers of personally identifiable information (PII), significantly increasing both risk and liability.
According to Galvin’s findings, the attackers exploited a vulnerability tied to Fidelity’s access controls. By logging in as authenticated users through previously established brokerage accounts, they were able to access a document image retrieval function and systematically query records associated with other accounts. This method effectively allowed the attackers to move laterally within the system and retrieve data beyond the scope of the compromised credentials.
The scale of the attempted data extraction was substantial. Investigators reported approximately 23.7 million automated requests for document images during the intrusion, suggesting the use of scripted tools designed to harvest data at scale. While the majority of these attempts were unsuccessful, the attackers ultimately accessed around 373,000 unique document images linked to client accounts. This level of activity highlights the importance of monitoring anomalous behavior patterns, such as high-volume queries, which can indicate automated attacks even when authentication appears legitimate.
Regulators also took issue with Fidelity’s notification practices. While the firm did inform affected customers, it failed to notify certain impacted individuals—such as beneficiaries and other associated parties—whose data had also been compromised. For RIAs, this aspect of the case reinforces the need for comprehensive breach response protocols that account for all potentially affected parties, not just primary account holders.
In response to the incident, a Fidelity spokesperson stated that the firm acted quickly to terminate unauthorized access, initiate an internal investigation with external cybersecurity experts, and notify law enforcement. The firm also reported that the breach did not involve direct access to client accounts or the movement of funds. Furthermore, Fidelity indicated that it has seen no evidence of identity theft or fraud stemming from the incident in the nearly two years since it occurred.
The firm emphasized its ongoing commitment to client security, including outreach to affected individuals and the provision of resources to help mitigate potential risks. Fidelity also reiterated its Customer Protection Guarantee, which reimburses clients for losses resulting from unauthorized activity in covered accounts. While such assurances may help maintain client confidence, advisors should recognize that reputational damage from data breaches often extends beyond direct financial harm.
As part of the settlement, Fidelity neither admitted nor denied the allegations but agreed to implement remedial measures. These include engaging an independent cybersecurity consultant, enhancing internal controls, and ensuring that all previously unnotified Massachusetts residents impacted by the breach are contacted. These requirements reflect a broader regulatory expectation that firms continuously assess and strengthen their cybersecurity frameworks.
The Fidelity case is not isolated. It follows closely on the heels of a separate breach disclosed by LPL Financial, in which cybercriminals reportedly accessed client accounts via compromised advisor devices, resulting in unauthorized securities transactions and fund transfers. That incident, which occurred in late 2024, illustrates a different but equally critical vulnerability: endpoint security within advisory practices.
More broadly, the industry continues to face a growing wave of cyber incidents and related litigation. Firms such as Cetera Financial Group, Ameriprise Financial, Hightower Advisors, Mercer Advisors, Edelman Financial Engines, Beacon Pointe Advisors, and Pathstone Family Office have all faced scrutiny or legal action tied to alleged data protection failures.
For RIAs, the implications are clear: cybersecurity is no longer a back-office concern but a core component of fiduciary responsibility. As threat actors become more sophisticated and regulatory expectations continue to evolve, firms must prioritize robust access controls, real-time monitoring, comprehensive incident response planning, and transparent client communication. The cost of inaction is no longer limited to financial penalties—it extends to client trust, brand integrity, and long-term business viability.
