A stack of documents that concludes a tale Fidelity Investments would probably prefer not to discuss can be found somewhere in a filing cabinet inside a federal courthouse in Massachusetts. On May 13, the brokerage reached a $2.5 million settlement to end a class action lawsuit related to a cyberattack that exposed the personal data of about 77,000 clients for two bizarre days in August 2024. Fidelity denied any misconduct. The check was still written by it. These things typically end that way.
The actual breach was brief. An unapproved third party gained access to Fidelity’s network between August 17 and August 19, 2024, and stole client information. Two days. That’s all. However, two days is an eternity for a company that manages trillions of dollars’ worth of client assets, and the lawsuit that followed claimed the firm had been negligent with information that it ought to have been protecting much more vigorously. If you’ve ever waited for a breach notification letter, you’ll understand that the second complaint is that Fidelity took too long to inform anyone about what had happened.
It’s worth taking a moment to consider the settlement math. The maximum payout is $5,000 for clients who can prove actual financial harm, such as identity theft losses, the expense of obtaining a credit report, or the minor fees that accumulate when attempting to freeze your credit at three different bureaus. The average payout is anticipated to be around $100. The floor is about fifty dollars. It indicates how unevenly a breach like this affects people because of its wide spread. Most likely, the harm was only hypothetical. Others had to spend months tidying up someone else’s mess.
Fidelity claims to have already informed qualified clients, but the notification procedure is the aspect of these settlements that consistently seems to get overlooked. Addresses are changed by people. Emails are classified as junk. Observing how these events unfold gives the impression that many members of the eligible class never submit an application. Customers have a short window of time between learning that the settlement is genuine and taking action because the final approval hearing is scheduled for July 9 and the claim deadline is July 27.
It’s difficult to ignore how commonplace everything has gotten. There is a breach. The next step is a class action. Citing the expenses and dangers of carrying on the battle, the company settles despite denying any wrongdoing. The attorneys refer to it as adequate, reasonable, and fair. Customers only receive a small portion of what they may have anticipated. The business moves on. At this point, we’ve seen this pattern recur with T-Mobile, Equifax, and what seems like half of the financial services sector. The amounts differ. The choreography doesn’t.
The scale of fidelity itself is a little different in this case. This is not a startup that was discovered to have inadequate security. Millions of Americans park their 401(k)s and IRAs here without giving it a second thought, making it one of the titans of American retirement. The trust is vast, largely imperceptible, and most likely impossible to fully measure. In that context, a $2.5 million settlement seems almost symbolic. It’s a discreet, admission-free expense of conducting business.
The useful advice is straightforward for clients who believe they qualify. Examine your mail. Visit the settlement website. Submit by July 27. If you’re claiming documented losses, keep any receipts you have because they can mean the difference between a $100 check and something closer to four figures. Another question is whether the larger lesson makes any sense. Investors don’t seem to care. Regulators haven’t said anything. For the time being, Fidelity is acting as though August 2024 never occurred.
