Massachusetts Fines Fidelity $1.25M for IDOR Breach That Exposed 77,000 Customers' SSNs and Financial Records

A textbook IDOR vulnerability let any Fidelity customer access any other customer's SSNs, credit card numbers, and medical records for three days in August 2024 — and Massachusetts just fined the firm $1.25M for failing to implement its own security policies.

BOSTON, MASSACHUSETTS — Fidelity's Document Image Repository assigned each document a sequential ten-digit Image ID visible in the browser URL. Any logged-in user could access any other customer's document images simply by incrementing or guessing that identifier — no ownership validation required. A bad actor exploited this flaw over three days in August 2024, accessing images containing Social Security numbers, active credit card and financial account numbers, medical information, passports, driver's licenses, and other PII belonging to approximately 77,000 customers.

Enforcement profile

The vulnerability: IDOR in a financial document system

According to the consent order, "Fidelity's insufficient enforcement of its own cybersecurity protocols allowed a bad actor, over a three-day period in August 2024, to access images of documents." The failure was not the absence of a policy but the absence of enforcement. IDOR vulnerabilities have appeared in every major web application security framework for over two decades — OWASP has listed broken access control as the number one web application security risk since 2021. For a broader understanding of how data breaches unfold and what regulatory consequences look like, see our guide on data breaches: risks, response, and prevention. The Fidelity case follows a pattern we documented in Citizens Bank's federal lawsuits following the Everest ransomware attack — financial institutions facing compounding legal liability. All data breach coverage is tracked on The CyberSignal.

Failure to notify

Massachusetts regulators identified a secondary compliance failure: after learning of the breach, Fidelity failed to notify many impacted residents, including relatives and minor children of customers whose documents were accessed. In addition to the fine, Fidelity has been ordered to identify and notify all Massachusetts residents whose information was exposed and who were not previously notified.

What to do now

If you are a Fidelity Brokerage Services customer, place a fraud alert or credit freeze with all three major credit bureaus immediately. The exposed data includes active financial account numbers — change affected credentials and card numbers with your bank. Monitor credit reports and financial accounts for unauthorized transactions going back to August 2024.

The CyberSignal Analysis

Signal 01 — IDOR in financial systems is an entirely preventable breach class

A financial institution of Fidelity's scale allowing sequential numeric document IDs without ownership validation is a fundamental access control failure, not an edge case. The consent order's language — "failure to enforce its own cybersecurity protocols" — confirms this was a known requirement not implemented in production.

Signal 02 — State securities regulators are filling the federal enforcement vacuum

Massachusetts Secretary Galvin has established a track record of aggressive data breach enforcement when federal regulators move slowly. The $1.25 million fine against one of the world's largest financial firms signals that state-level enforcement is willing to act where SEC and FINRA do not.

Signal 03 — The notification failure is as serious as the breach

Fidelity's failure to notify affected individuals — including minor children — after learning of the breach compounds the harm. Regulators increasingly treat notification delay and scope failures as independent enforcement triggers. Organizations that under-notify to minimize reputational damage are discovering that regulators view under-notification as a separate and actionable violation.