Fidelity data breach 2024: what happened, who’s affected, and how to protect your data now

The Fidelity data breach took place in August 2024, exposing personal data of tens of thousands of customers. Although it became a massive data breach in the financial sector, it’s not a stand-alone case. Only between 2019 and 2023, the number of such incidents in financial institutions grew by more than 330%.

This article will break down what happened during the Fidelity data breach, who’s at risk, and explore how to protect yourself based on the key lessons learned.

Understanding the Fidelity data breach

What happened in the 2024 cyberattack?

The August data breach in Fidelity Investments lasted for two days. Post-incident investigation revealed that third-party hackers gained unauthorized access to sensitive personal information of the firm’s customers through two new customer accounts. The timeline of the incident is as follows:

• Date(s) breach occurred: August 17, 2024
• Date(s) breach discovered: August 19, 2024

The August breach, however, wasn’t the only attack on Fidelity Investments in 2024. Prior to it, the firm experienced another breach in March 2024. The headlines stated that Fidelity customers info feared stolen in a massive ransomware attack on a third-party service provider Infosys McCamish (IMS) that began in 2023 and led to a thread of breaches, affecting a total of 6,078,263 people.

How many users were affected?

According to the official report of the Maine Attorney General’s office, the August Fidelity data breach 2024 affected a total of 77,099 people.

Given the 39.2 million unique customers engaging with Fidelity.com, NetBenefits.com, or its mobile apps in 2024, the affected number represents only a small subset. However, even a  “small percentage” breach in a financial institution can cause devastating effects, as it involves the exposure of high-value personal data, which can be exploited by cybercriminals to carry out various forms of crime. 

When this sensitive data is combined with publicly available information sold by data brokers, it creates an even more dangerous mix.Together, they give scammers everything they need to perpetrate identity theft or targeted phishing attacks.

What types of data were compromised?

• PII like names, addresses, and dates of birth
• Driver’s licenses
• Social Security numbers
• In some cases, banking information such as account and routing numbers

How did customers and experts react to the Fidelity data breach?

The Fidelity Investments breach caused a massive public fallout:

• Broad coverage in the media created a hit on the firm’s reputation.
• A big number of affected customers has raised significant customer concerns about the security of their personal data in Fidelity.
• Multiple cybersecurity experts’ analysis called the breach “massive and preventable,” accusing the firm of vulnerabilities, lack of multi-layered security, and security misconfigurations that made it possible.
• The breach led to class action lawsuits firing back at Fidelity. The Gluck lawsuit charges the firm with failing to protect customer data due to its inadequately protected computer network, security negligence, and failure to uphold data protection promises.

What steps did Fidelity take to fix the breach?

The firm discovered the breach on August 19, 2024, and instantly launched an investigation, in which they detected and closed the compromised accounts as a primary containment measure. The official Notice of Data Breach was sent out to customers on October 09, 2024.

In response to the incident, Fidelity filed notifications about the breach with several states. The firm also offered customers who have suffered from the breach a complimentary credit monitoring and identity restoration service for 24 months.

What the Fidelity data breach teaches us about cybersecurity

Fidelity hacked not once but twice in a year, along with other breach cases in the financial sector offers a few important lessons:

1. No one is immune—even trusted institutions are vulnerable.
   If a major financial institution like Fidelity can suffer multiple breaches, it’s clear that no company is invincible—not even those with strong security measures in place.
2. Your personal information is always a target.
   Financial institutions store highly sensitive data like names, addresses, Social Security numbers, account details. All of these details are prime targets for cybercriminals. As individuals, we need to stay mindful of where and how we share our information, and take extra care to safeguard it.
3. Data breaches are becoming more common.
   No one can afford to be complacent. It’s wise to assume your data may eventually be exposed and take proactive steps now to minimize potential damage.
4. Adopting a privacy-first mindset is essential.
   Strong personal data protection habits aren’t optional anymore. Cybercriminals will exploit every opportunity and vulnerability to cause harm. That’s why it’s crucial to take control of what you can—your privacy.

Being prepared and having the right mindset are the essential first steps. Next, let’s dive into the specific measures you can take to actively protect yourself.

How to protect your personal information after a data breach: immediate steps

If you happen to be at the epicenter of a data breach, there are a few steps you should take instantly to protect your information.

Place fraud alerts with credit bureaus

Fraud alerts inform potential creditors that your data may be compromised and require them to verify your identity more scrupulously before they open a new account, issue a new credit card, or increase your credit limit. You can place a fraud alert with one of the three major credit bureaus, such as Experian, TransUnion, or Equifax.

Change passwords, enable MFA on all financial accounts

Change your existing passwords and enable multi-factor authentication immediately after learning about a breach to prevent unauthorized access to your financial accounts.

Check if your data has been exposed

Even if you are not contacted by the corresponding institution, stay vigilant and take proactive steps to check if your data has been exposed. First, contact your service provider. If you were affected by the Fidelity data breach 2024, use official communication channels to clarify the status of your data.

You can also check if your email address is in a data breach with the help of services like haveibeenpwned.com.

Monitor bank and credit card statements rigorously

Carefully check your statements to detect any unusual activity, such as new credit lines opened, new cards issued, and so on, and instantly report any unauthorized changes to your service provider.

You can also consider freezing your account to prevent unauthorized changes.

Proactive steps to improve your overall internet security

Even if you are not affected by the Fidelity data breach or another incident, any online account can become a target. Here are a few extra tips you can use to improve overall cybersecurity and prevent breaches.

Monitoring your online presence and removing unnecessary data

Your digital footprint can contain plenty of personal information that can help scammers. Thus, regularly reviewing it, limiting what you share online and using proper privacy settings on various channels is crucial for safety. 

Also, removing your information from data brokers (aka people-search sites) can help you stay on the safe side.

Using identity protection and monitoring services

Identity protection and monitoring services help detect identity theft and other cyber threats to safeguard your privacy and data.

Keeping your software and devices updated

Software and device updates often address known security breaches, bugs, and other weaknesses. By installing updates as soon as they roll out, you can become less vulnerable to cybercriminals.

Recognizing and avoiding phishing scams

Educate yourself on common forms of phishing scams that attempt to steal your passwords, account numbers, or Social Security numbers via email, text, and other means. Being able to recognize them can help you avoid falling victim.