A data breach last month has landed Mercer Advisors in court with a putative class-action suit that contends the prolific RIA acquirer failed to adequately protect private client data.
Paul Berger of Washington, D.C. sued Mercer in the U.S. District Court for the District of Colorado on Monday following a data breach in mid-February. A cybercrime group known as ShinyHunters later claimed on the "dark web" (encrypted, anonymous internet layers that require specific software to access) that it had obtained access to roughly 5.7 million individual records containing client names, full or partial Social Security Numbers, emergency contact details and other information.
According to the suit, ShinyHunters — which has claimed responsibility for prominent hacks against other large wealth managers and high-profile firms — demanded a ransom in return for not releasing the information. "Make the right decision, don't be the next headline," the group allegedly threatened.
When Mercer refused to pay, the hackers released the client information on the dark web. Berger's suit, which seeks class action status so others allegedly harmed in a similar way can join, says he and other victims have been rendered highly vulnerable to fraud attempts.
"For example, by linking the stolen email addresses with identifiable profile details such as a user's follower count or avatar, cybercriminals can create highly convincing phishing emails, including messages that impersonate Mercer support and reference specific account information to gain trust," according to the suit. "These and other threats resulting from the Data Breach will now require Plaintiffs to engage in ongoing and constant monitoring of their financial and personal records."
Berger's lawyers did not respond to requests for comment. Mercer declined to comment for this article.
READ MORE:
Regulators' push to protect client data
Protecting private investor data has been a priority for industry regulators in recent years.
The Securities and Exchange Commission, for instance, adopted a slew of changes in 2024 giving firms additional obligations under a federal privacy rule known as Regulation S-P. The biggest change gives investment advisors, brokers and other affected firms
Policymakers had also considered rules that would have given both registered advisors and broker-dealers hard deadlines for reporting cyberbreaches to enforcement officials. But those proposals
Denver-based Mercer, which has more than $96 billion in client assets and more than 1,550 employees, isn't the only prominent wealth manager to have suffered a data breach in recent months. In January, the
Other financial firms targeted in widely reported recent attacks include Edelman Financial Engines and Pathstone Family Office.
Berger's suit against Mercer contends the breach exposed him to harm and occurred because Mercer did not follow industry standards designed to protect client data. The suit alleges Mercer failed to ensure the personal information it held was encrypted, to monitor for and remediate vulnerabilities in its cybersecurity systems and to ensure employees had access to private data only if they used multifactor authentication — a system often requiring users to verify their identities through at least two separate devices. The suit accuses Mercer of negligence, unjust enrichment and breach of an implied contract.
