This is pretty alarming, especially as it's not something that would require the victim to make a mistake or fall for a scam.
Something similar happened to me with Ally a few years back, though in that case the scammer first got into my cell phone account (this was my fault; my bank accounts had very secure passwords but my cell phone account didn't), reported my phone as lost or missing, and transferred my number to their device. Then they called Ally, told them they couldn't remember their (my) password, and when Ally sent a verification code to my phone number, it went to their device. They got in that way and immediately transferred a bunch of money to themselves via Zelle. Thankfully: (1) I noticed it instantly, as Ally sent me an email saying "this is just confirming that you just spoke with an agent and changed your password," and since I hadn't done that, I called right away and put a halt to things as much as possible; and (2) Ally (or their insurance, I guess) reimbursed me in full a few weeks later.
The Fidelity thing is worse, both in scale and in the fact that it seems like the couple couldn't have done anything to prevent this (aside from catching the fraud more quickly after the fact, which they shouldn't have to do). I'm glad they got their money back and concerned that there's not a robust mechanism to prevent it from happening again.