Fidelity Investments to Settle Class-Action Lawsuit for $2.5 Million Over 2024 Data Breach

Fidelity Nears $2.5M Settlement for 2024 Data Breach Affecting 77,000 People

MEDIUM
July 9, 2026
4m read
Data BreachPolicy and ComplianceRegulatory

Impact Scope

People Affected

77,000

Industries Affected

Finance

Geographic Impact

United States (national)

Related Entities

Other

Fidelity Investments

Full Report

Executive Summary

Fidelity Investments, a major player in the financial services industry, is set to finalize a $2.5 million settlement for a class-action lawsuit stemming from a data breach that occurred in August 2024. The breach affected approximately 77,000 people. A U.S. court is scheduled to hold a Fairness Hearing on July 9, 2026, to grant final approval to the settlement terms. The lawsuit alleged that Fidelity's inadequate security measures led to the breach and that the company delayed notification to affected consumers, some of whose data later appeared on the dark web. The settlement provides a compensation framework for victims, with payments up to $5,000 for documented losses.

Threat Overview

The underlying security incident occurred between August 17 and August 19, 2024. During this period, an unauthorized third party gained access to Fidelity's network and exfiltrated certain personal information of approximately 77,000 individuals. The lawsuit, filed in February 2025, claimed this was a preventable breach resulting from Fidelity's failure to implement adequate cybersecurity measures (T1562). A key point of contention in the lawsuit was the delay in notification; Fidelity allegedly waited two months before informing the victims, potentially violating data breach notification laws and preventing individuals from taking timely steps to protect themselves. The plaintiffs also claimed that some of the stolen personal information was subsequently found for sale or was published on the dark web, a common outcome of data breaches where attackers seek to monetize the stolen data (T1657 - Financial Benefit).

Regulatory Details

The case highlights the legal and financial consequences of a data breach. The class-action lawsuit consolidates claims from affected individuals into a single legal action. The proposed $2.5 million settlement is intended to compensate victims for their losses and resolve the litigation. The settlement structure includes:

  • Documented Loss Claims: Class members who can provide proof of out-of-pocket losses directly resulting from the breach (e.g., costs for credit monitoring, fraud resolution) can claim reimbursement up to $5,000.
  • Pro-Rata Payments: All other class members are eligible for a cash payment, estimated to be around $100 per person. The final amount will depend on the number of claims filed and administrative costs.

The Fairness Hearing on July 9, 2026, is a standard legal procedure where a judge reviews the settlement to ensure it is fair, reasonable, and adequate for the class members it represents before giving it final approval.

Impact Assessment

For the 77,000 individuals affected, the breach resulted in the exposure of their personal information, putting them at an increased risk of identity theft, financial fraud, and targeted phishing attacks for years to come. The delay in notification exacerbated this risk. For Fidelity Investments, the impact is both financial and reputational. The $2.5 million settlement, along with legal fees, represents a direct financial cost. Perhaps more damaging is the erosion of trust among its customers. As a major financial institution, the expectation of robust security is paramount. A breach, followed by a lawsuit alleging inadequate security and delayed notification, can significantly harm the company's brand and its ability to attract and retain clients.

Compliance Guidance

This incident serves as a critical lesson for all organizations, especially those in regulated industries like finance:

  1. Implement Robust Security: Invest in and maintain a comprehensive cybersecurity program based on established frameworks like NIST CSF or ISO 27001. This includes technical controls like MFA, encryption, and EDR, as well as regular security assessments and penetration testing. This aligns with M1028 - Operating System Configuration.
  2. Timely Notification: Understand and comply with the complex web of state and federal data breach notification laws. Have a well-practiced incident response plan that includes clear timelines and procedures for notifying affected individuals and regulators. Delays can lead to increased legal liability and regulatory fines.
  3. Incident Response Readiness: Maintain a tested incident response plan. When a breach occurs, the ability to quickly identify the scope, contain the damage, and understand what data was taken is crucial for an effective and legally defensible response. This involves having adequate logging and monitoring in place (M1047 - Audit).
  4. Dark Web Monitoring: Proactively monitor the dark web for mentions of your company or the appearance of your data. This can provide early warning of a breach or help determine the scope of an incident.

Timeline of Events

1
August 17, 2024
The data breach at Fidelity Investments begins.
2
August 19, 2024
The data breach period ends.
3
February 1, 2025
A class-action lawsuit is filed against Fidelity Investments.
4
July 9, 2026
A Fairness Hearing is scheduled to approve the $2.5 million settlement.
5
July 9, 2026
This article was published
6
July 27, 2026
Deadline for class members to have incurred documented losses to be eligible for the higher claim amount.

MITRE ATT&CK Mitigations

Audit

M1047enterprise

Implement comprehensive logging and monitoring to detect unauthorized access and data exfiltration promptly, enabling faster incident response and notification.

Mapped D3FEND Techniques:

Encrypt sensitive customer data both at rest and in transit to ensure that even if data is exfiltrated, it remains unusable to the attackers.

Mapped D3FEND Techniques:

Enforce MFA on all accounts, especially those with access to sensitive customer data, to prevent unauthorized access via stolen credentials.

Mapped D3FEND Techniques:

D3FEND Defensive Countermeasures

To prevent a breach like the one at Fidelity, implementing robust Network Traffic Analysis (NTA) is crucial. An NTA solution would continuously monitor network flows, establishing a baseline of normal data movement. The exfiltration of data for 77,000 individuals would likely create a detectable anomaly—a spike in outbound traffic from a database or file server to an unknown external IP address. By setting up alerts for such deviations, the security operations team could have been notified in near real-time, potentially during the three-day window of the breach. This would have enabled them to investigate and contain the incident immediately, drastically reducing the scope of the breach and potentially preventing the need for a multi-million dollar settlement. This proactive detection is key to shortening attacker dwell time and minimizing impact.

The lawsuit against Fidelity highlighted the two-month delay in notification as a key failure. This underscores the need for a well-defined and regularly tested Incident Response Plan (IRP). The IRP should include clear, pre-approved communication templates and a decision tree for notifying affected individuals, regulators, and law enforcement. It must incorporate legal counsel's input regarding the specific notification timelines required by various state and federal laws (e.g., GDPR, CCPA, state-specific statutes). Regular tabletop exercises that simulate a data breach scenario, including the notification process, are essential to ensure that when a real incident occurs, the organization can respond quickly, efficiently, and in compliance with all legal obligations, thereby mitigating legal and reputational damage.

Timeline of Events

1
August 17, 2024

The data breach at Fidelity Investments begins.

2
August 19, 2024

The data breach period ends.

3
February 1, 2025

A class-action lawsuit is filed against Fidelity Investments.

4
July 9, 2026

A Fairness Hearing is scheduled to approve the $2.5 million settlement.

5
July 27, 2026

Deadline for class members to have incurred documented losses to be eligible for the higher claim amount.

Sources & References

Fidelity $2.5M data breach settlement: What to know
MySA (mysanantonio.com) July 9, 2026

Article Author

Jason Gomes

Jason Gomes

• Cybersecurity Practitioner

Cybersecurity professional with over 10 years of specialized experience in security operations, threat intelligence, incident response, and security automation. Expertise spans SOAR/XSOAR orchestration, threat intelligence platforms, SIEM/UEBA analytics, and building cyber fusion centers. Background includes technical enablement, solution architecture for enterprise and government clients, and implementing security automation workflows across IR, TIP, and SOC use cases.

Threat Intelligence & AnalysisSecurity Orchestration (SOAR/XSOAR)Incident Response & Digital ForensicsSecurity Operations Center (SOC)SIEM & Security AnalyticsCyber Fusion & Threat SharingSecurity Automation & IntegrationManaged Detection & Response (MDR)

Tags

Data BreachFidelity InvestmentsLawsuitSettlementFinancial ServicesPolicy and Compliance

📢 Share This Article

Help others stay informed about cybersecurity threats

🎯 MITRE ATT&CK Mapped

Every tactic, technique, and sub-technique used in this threat has been identified and mapped to the MITRE ATT&CK framework for consistent, actionable threat language.

🧠 Enriched & Analyzed

Observables and indicators of compromise (IOCs) have been extracted and cataloged. Risk has been assessed and correlated with known threat actors and historical campaigns.

🛡️ Actionable Guidance

Detection rules, incident response steps, and D3FEND-aligned mitigation strategies are included so your team can act on this intelligence immediately.

🔗 STIX Visualizer

Structured threat data is packaged as a STIX 2.1 bundle and can be visualized as an interactive graph — relationships between actors, malware, techniques, and indicators.

Sigma Generator

Sigma detection rules are derived from the threat techniques in this article and can be converted for deployment across any major SIEM or EDR platform.