Fidelity data breach settlement opens $2.5M claims window

Fidelity Investments has agreed to pay $2.5 million to settle a class-action lawsuit over an August 2024 data breach that exposed the personal information of roughly 77,000 customers. A claims window is now open and runs through late July for affected account holders.

The settlement, filed May 13 in federal court, is small by the standards of the $15.3 trillion asset manager. It landed alongside a separate $1.25 million fine from Massachusetts regulators over the same incident. Neither sum matters to Fidelity’s bottom line. What the twin actions make clear is how far the accountability perimeter has stretched for brokerages — even contained cyber failures now draw regulatory and legal fire on multiple fronts long after the intrusion itself is closed.

The breach played out over two days, August 17–19, 2024. An attacker got at customer names, Social Security numbers, and financial account data through an internal system vulnerability. Fidelity detected and closed the hole within 48 hours and notified 77,000 customers at the time. But the settlement documentation indicates another 86,000 account holders had routing and account numbers exposed and may also be eligible to file claims — roughly doubling the pool of affected individuals. In Massachusetts alone, 2,768 residents were hit, according to the state’s separate enforcement action, resolved alongside the class settlement.

Under the proposed terms, class members can claim up to $5,000 for documented out-of-pocket losses tied to the breach: credit monitoring, identity theft restoration, unreimbursed fraud charges. Those without documentation can still collect an estimated pro rata cash payment of roughly $100 without submitting proof. California residents get an extra $50 under the state’s Consumer Privacy Act. As the settlement notice puts it, “you do not have to provide any proof or explanation to claim this payment.”

“The parties have agreed to settle the lawsuit … to avoid the costs and risks, disruptions, and uncertainties of continuing the Litigation,” the settlement notice states.

The mechanics follow a standard class-action cadence. A final approval hearing is set for July 9 before the U.S. District Court for the District of Massachusetts. The claims deadline is July 27. Customers who want to exclude themselves and preserve the right to sue separately must opt out by June 26. Attorney fees and administrative costs will come out of the settlement fund — in consumer class actions of this size, that slice typically runs 20 to 30 per cent of the total.

Secretary of the Commonwealth William Galvin’s securities division brought the Massachusetts regulatory action, which ran parallel to the class litigation. It accused Fidelity of failing to maintain cybersecurity controls that matched the sensitivity of the data it held, pointing to inadequate access monitoring and delayed detection. The $1.25 million penalty is modest, but it is among the larger state-level data-security fines against a major brokerage in the current enforcement cycle. More telling, perhaps, is the signal it sends: state regulators will pursue their own cases even when a federal class settlement is underway. For an industry still adjusting to the SEC’s 2023 cybersecurity disclosure rules, the two actions — one civil, one regulatory — offer a case study in how breach costs pile up across separate enforcement tracks, with no single proceeding capturing the full liability.

Fidelity admitted no wrongdoing in either the settlement or the regulatory resolution. The combined $3.75 million in payouts and penalties is immaterial to a firm whose 2025 operating income topped $10 billion. The reputational math is less forgiving. A breach that lasted 48 hours in August 2024 will, by the time the claims window closes in July 2026, have produced nearly two years of legal process, regulatory scrutiny, and public disclosure for one of the most trusted names in American finance. Fidelity’s core product is stewardship of other people’s money. When that trust gets tested, the fine is rarely the hardest part.