Another New Fidelity Investments Breach!

4 min readNov 1, 2024

According to its filing submitted to Maine’s attorney general on Wednesday October 9, 2024, Fidelity stated that the breach took place between August 17 and August 19, when an unnamed third party gained access to the data through two customer accounts.

The confirmed data breach impacts over 77,000 customers. Between August 17 and 19, unauthorized individuals accessed personal information-including Social Security numbers and driver’s license details-by exploiting two newly established customer accounts. Fidelity detected the breach on August 19 and promptly terminated the unauthorized access. The company has stated that customer accounts and funds were not compromised during this incident.

Get notified when I publish new articles so you don’t miss out on the latest cybersecurity updates. I never share your email address, and your subscription only sends you notifications when I publish new articles.

In response, Fidelity is offering affected individuals two years of free credit monitoring and identity restoration services. The company advises all customers to remain vigilant by regularly reviewing their financial statements and reporting any suspicious activity.

While Fidelity is offering free credit monitoring services-which they know only a fraction of affected customers will utilize-I’d like to offer them some advice from the perspective of a seasoned cybersecurity professional. Given Fidelity’s history of multiple breaches, it’s apparent that their internal cybersecurity program and practices are inadequate. Continuing down the same path is likely to result in further compromises. I strongly urge the executive management team to engage unbiased, external cybersecurity experts to conduct a thorough assessment of their cybersecurity program using a comprehensive framework like NIST CSF 2.0. This kind of objective assessment, guided by an experienced cybersecurity team, would reveal a wealth of improvement opportunities and actionable insights to strengthen their defenses and protect customer data more effectively.

Following the breach, a proposed class-action lawsuit was filed against Fidelity, alleging negligence and inadequate security measures. The lawsuit claims that the company failed to implement standard cybersecurity practices, such as encrypting client information and providing sufficient employee training.

Earlier in 2024, Fidelity Investments Life Insurance Company informed approximately 30,000 individuals that their personal information was compromised due to a data breach at third-party services provider Infosys McCamish Systems (IMS). The breach involved unauthorized access to sensitive customer data.

Both of these incidents underscores the importance of robust cybersecurity protocols in protecting sensitive customer information.

You can connect with me on LinkedIn and join my professional network.

How Do Consumers Protect Themselves?

To protect financial and personal information, especially in light of serious breaches like those involving Fidelity Investments, individuals can implement the following methods:

Use Strong, Unique Passwords

Never use the same passwords across accounts.
Create long, complex passwords that include a mix of letters, numbers, and symbols.
Consider using a reputable password manager to generate and securely store passwords such as Protonmail Pass.

Enable Multi-Factor Authentication (MFA)

Activate MFA wherever possible, especially on financial accounts.
MFA adds an additional layer of security by requiring a code or biometrics along with your password.
Don’t use your regular mobile phone number for MFA. Get a cheap second phone for this.
Use hardware MFA like YubiKey.

Monitor Accounts Regularly

Review your bank and investment account statements WEEKLY.
Look for unfamiliar transactions and report them immediately.
Set up alerts for transactions or login attempts for real-time notifications of activity.

Freeze Credit Reports

Consider freezing your credit reports with major bureaus (Equifax, Experian, and TransUnion).
This prevents new accounts from being opened in your name without your authorization. This is more effective than relying on “free” monitoring services after you are breached.

Use Secure Connections

Avoid accessing financial accounts on public Wi-Fi.
If you must use public Wi-Fi, connect through a trusted Virtual Private Network (VPN).

Stay Informed About Breaches

Verify any communication asking for personal information, especially emails or calls that seem urgent or too good to be true.
Contact companies directly using verified contact information rather than clicking links in emails or messages.

Use Identity Theft Protection Services

Consider services that offer credit monitoring, fraud alerts, and identity theft insurance.
These services may provide early warnings about unusual activity on your accounts.

Secure Devices with Antivirus and Anti-Malware Software

Regularly update your software, and install reputable antivirus and anti-malware programs.
Enable automatic updates to patch vulnerabilities.

Use Account Alerts for Immediate Notifications

Set up notifications for any transactions, account logins, or profile changes.
These alerts can help detect unauthorized access quickly.

By implementing these strategies, individuals can better safeguard their financial and personal data against unauthorized access and reduce the risk of identity theft or financial fraud. These actions are not fool proof and are only a baseline.