Mercer Faces Data Breach Lawsuits

"Based on our investigation, we determined on March 25, 2026, that an unauthorized third party obtained certain of your personal information," the firm said, according to sample letters posted on the California attorney general's office website.

Affected data varied by individual and included name, contact information, driver's license and passport numbers, birth dates and account numbers.

"Based on our investigation, we believe the affected information did not include your Social Security number," Mercer told those it contacted. "After becoming aware of the issue, we promptly launched an investigation with the assistance of leading external cybersecurity experts to understand its nature and scope. We blocked the unauthorized party's access to our systems and took additional steps to enhance our safeguards. We also reported the issue to law enforcement authorities."

The firm is offering free credit and dark web monitoring and identity protection services.

"We recently became aware of an issue involving unauthorized access to some of our systems used to store client data. We are actively investigating the matter with the assistance of leading cybersecurity experts, and we have also notified law enforcement," a Mercer spokesperson told ThinkAdvisor by email Friday.

"Our investigation, along with that of the third-party experts, has indicated that this incident is contained. At no point did the unauthorized access impact our ability to serve clients. The security of our clients' data and our systems is a top priority for us, and we take this matter very seriously," the spokesperson wrote.

The firm faces at least three recently filed putative class action lawsuits related to the breach.

One complaint filed Wednesday in U.S. District Court for the Southern District of California seeks damages, restitution and an injunction, alleging negligence, invasion of privacy and other violations.

It states that on Feb. 23, Cybernews published an article "reporting that, after giving a 48-hour ultimatum, ShinyHunters, an infamous extortion gang, dumped millions of records tied to MERCER ADVISORS onto the dark web.

"In the article, Cybernews reported that 'last week,' MERCER ADVISORS received warnings that attackers had gained access to millions of records of their internal data. The attackers claimed they would expose the data if their demands were not met. As in most extortion cases, threats to release data are part of pressure tactics designed to force negotiations and muscle organizations into paying ransom. And also to get revenge on the company's reputation by releasing the data publicly if the demands are not met," the lawsuit states.

Cybernews posted screenshots of the Mercer data leaked on the dark web and reported that the Cybernews research team had investigated the leaked dataset and discovered it includes Mercer clients' data, "including, but not limited to full names, contact information, and Social Security numbers, and that in total, the MERCER ADVISORS' data leaked on the dark web is 5GB in size."

The suit also complains about Mercer's delay in advising affected people about the breach.

Another suit filed in U.S. District Court for the District of Colorado earlier in April addresses the same breach.

Yet another complaint, which a Mercer customer filed in Colorado last month, alleges that on Feb, 6, ShinyHunters "claimed responsibility for an unauthorized intrusion into systems associated with Mercer, asserting that it had accessed and exfiltrated over 5 million records belonging to the firms' clients and internal operations."

"The group issued a 48-hour ultimatum to Mercer, threatening to leak the records it had stolen if Mercer refused to pay a ransom; warning Mercer to '[m]ake the right decision, don't be the next headline.' When its demands were not met, ShinyHunters published the records to the dark web," the lawsuit contends.

Credit: Sergey Nivens/Adobe Stock