Mercer Advisors Hit by ShinyHunters Data Breach
3 Min Read
A Mercer Advisors client is claiming the firm’s data protection services fell short in keeping customer information safe from a coordinated data breach by an infamous cybercrime network.
According to the suit filed by Mercer customer Paul Berger as a class action on behalf of other affected clients, the firm was hit with a cybersecurity breach around Feb. 16 by a cybercrime extortionist outfit known as ShinyHunters.
The group gave Mercer 48 hours to pay a ransom, or it would leak approximately 5.7 million client records, including names, Social Security numbers and other personal information on the dark web. The group urged Mercer to pay to avoid becoming “the next headline,” but Mercer refused, and the group published the stolen information.
ShinyHunters first hit the cybercrime scene in 2020 with a bevy of high-profile incursions, starting with the theft of 91 million user records from Indonesian e-commerce platform Tokopedia and their publication on the dark web.
As part of their approach, the scammers steal the data and put it up for sale on a bevy of dark web forums, selling it to either a single buyer or multiple buyers. In the past several years, its targets have included Ticketmaster and AT&T (the latter company faced a massive data breach despite paying $370,000 in ransom, according to news reports).
According to Berger, the group’s extortion tactics have elevated to include “swatting” attacks and threats of physical violence.
Mercer declined to comment for this story.
According to Berger, Mercer failed to follow Federal Trade Commission and industry best practices in protecting client information, alleging the firm “acted inexcusably by failing to provide timely notice to the individuals whose personal information was compromised,” despite knowing about the incident.
Berger also claimed Mercer’s data-security measures weren’t up to the task, arguing Mercer failed to adopt “adequate network segmentation,” “multi-factor authentication and credential-protection measures,” “encryption of (personally identifiable information),” and “regular security audits and risk assessments,” among other data security attributes.
Now, Berger claims that he and other Mercer customers “face years of constant surveillance of their financial and personal records,” in search of evidence that the data breach is being used against them.
“For example, by linking the stolen email addresses with identifiable profile details such as a user’s follower count or avatar, cybercriminals can create highly convincing phishing emails, including messages that impersonate Mercer support and reference specific account information to gain trust,” the complaint read.
According to reports from CyberNews, Beacon Pointe Advisors was also the target of a ransom attempt by ShinyHunters last week (although CyberNews reported the amount of data stolen from Beacon Pointe was smaller than the alleged Mercer heist).
“Beacon Pointe was targeted by an unauthorized bad actor, but our security systems worked as designed to contain the scope of the incident,” a firm spokesperson said. “The incident affected an extremely small percentage of our client base—less than 0.5%. Those clients were notified weeks ago, and we deployed proactive measures to protect their accounts.”
According to other CyberNews reports, ShinyHunters also targeted Pathstone Family Office, a New Jersey-based firm with over $160 billion in managed assets.
Pathstone did not respond to a request for comment regarding the data breach prior to publication.
Mercer, Beacon Pointe and Pathstone aren’t the only industry players dealing with a recent data breach. Edelman Financial Engines filed a data breach notification with Maine regulators last month, stating the breach occurred (and was discovered) in early January.
According to a letter Edelman sent to affected clients, no accounts were affected. Still, scammers accessed personal information, including names, dates of birth, addresses, phone numbers, emails and other financial planning information. In response, Edelman said affected clients could enroll in a credit and identity monitoring service at no cost for 24 months.
