Mercer Advisors faces class-action lawsuit over breach of 5.7m customer records

Investment advisory firm Mercer Advisors has been hit by a punitive class action lawsuit in the U.S. for failing to protect customer information from being stolen and published by a malicious cyber criminal group.

 

The Denver, Colorado-based wealth advisory company suffered a serious data breach incident in the middle of February that involved the ShinyHunters cyber extortion group hacking the company’s systems and stealing approximately 5.7 million client data records.

 

ShinyHunters claimed that the stolen data included over 1.3 million records of personally identifiable information and internal corporate data. The cyber criminal group then went on to publish the entire stolen repository after Mercer Advisors refused to pay a ransom to regain access to the stolen data. According to ShinyHunters, the investment advisory company failed to respond within the stipulated deadline of February 18 to negotiate a settlement.

 

On March 2, a class action lawsuit was filed by an individual named Paul Berger in the Colorado District Court, alleging that Mercer Advisors failed to protect its customers’ personal information from being accessed and shared by the cyber extortion group.

 

According to financial industry news and insights portal Wealth Management, Berger has alleged that Mercer Advisors "acted inexcusably by failing to provide timely notice to the individuals whose personal information was compromised" and failed to implement basic cyber security controls to protect customers’ personal data.

 

These measures included adequate network segmentation, multi-factor authentication, protection of credentials, encryption of personally identifiable information and regular security audits and risk assessments. Berger, himself a victim of the data breach, told the court that he and other victims are now exposed to identity theft and phishing attacks as a result of Mercer’s inadequate security controls.

 

The ShinyHunters extortion group, known for routinely conducting high-profile cyber attacks, also targeted San Francisco-based blockchain-native financial technology firm Figure Technology Solutions in January and stole personal and contact information tied to 967,200 accounts.

 

The group then went on to publish approximately 2.5 gigabytes of stolen data that included more than 900,000 unique email addresses along with names, phone numbers, physical addresses and dates of birth. The leaked records also reportedly included HubSpot CRM data, know-your-customer information, applicant records, employee data and stakeholder information.