Ameriprise Financial Sued Over ShinyHunters Data Breach That Allegedly Exposed Clients’ Social Security Numbers, Account Data
Former Ameriprise clients have filed a federal class action lawsuit claiming the Minneapolis-based wealth management giant failed to protect their most sensitive financial and personal data after the notorious ShinyHunters hacking group claimed responsibility for stealing over 200GB of customer records in March 2026. The plaintiff, Betty Lackey, alleges Ameriprise failed to safeguard her personally identifiable information (PII) — including Social Security numbers, payment card information, financial transaction data, and account details — and that the company has yet to notify affected customers of the breach. The case, Lackey v. Ameriprise Financial Inc., Case No. 0:26-cv-02128, was filed in the U.S. District Court for the District of Minnesota.
Quick Case Snapshot
| Plaintiff | Betty Lackey (on behalf of a proposed class of affected Ameriprise clients) |
| Defendant | Ameriprise Financial Inc. |
| Court | U.S. District Court, District of Minnesota |
| Case Number | 0:26-cv-02128 |
| Filing Date | April 2026 |
| Judge | Not yet assigned |
| Claims Alleged | Negligence, failure to safeguard PII, failure to timely notify breach victims |
| Damages Sought | Not yet disclosed |
| Current Status | Newly filed; no court response or scheduling order yet |
What Happened: ShinyHunters Claims 200GB Stolen From Ameriprise
ShinyHunters posted a dark-web claim holding 200GB of Ameriprise Financial data — including Salesforce PII records and internal SharePoint data — and issued what they called a “final warning,” setting a hard deadline of March 25, 2026 for Ameriprise to make contact. The post was updated on March 23, warning of “several annoying (digital) problems” if the company failed to respond.
ShinyHunters is a digital extortion group that steals sensitive information from companies and threatens to leak it in exchange for ransom. The same group was allegedly at the center of a separate data breach at Mercer Advisors around the same period.
The breach of Ameriprise Financial was discovered on March 24, 2026, with the threat actor identified as ShinyHunters and the leak size reported at 200GB.
What the Lawsuit Alleges: “Clients Don’t Even Know They’re at Risk”
The complaint alleges that Ameriprise failed to protect Lackey and other clients from the breach, and that their PII — including names, addresses, dates of birth, account information, payment card information, authentication credentials, financial transaction records, contact information, and Social Security numbers — was compromised. Critically, the suit argues that Ameriprise has yet to notify victims.
In the complaint’s own words: “Most, if not all, class members have no idea that their private information had been compromised, and that they continue to be at a significant risk of identity theft and various other forms of personal, social and financial harm.”
Lackey further claims Ameriprise failed to adequately enhance its data security practices despite being aware that companies in the financial industry were susceptible targets.
A parallel lawsuit filed by plaintiff Pamela Caffrey makes similar allegations. That complaint faults Ameriprise for not giving any assurances that the firm recovered or destroyed the client data, or that it “has adequately enhanced its data security practices sufficient to avoid a similar breach of its network in the future.”
The Caffrey complaint states that the risk of harm to affected clients “will remain for their respective lifetimes.”
Related article: Vivint Smart Home Faces Class Action Over Alleged Spam Emails and Secret Tracking of Website Visitors
Ameriprise’s Response: “We Blocked the Unauthorized Access”
Ameriprise has not remained silent. The firm says outside forensic experts confirmed it has blocked unauthorized access to data, that it is confident the plaintiff’s data was not affected, and that when sensitive data is affected, the firm would notify the appropriate authorities.
According to an Ameriprise spokesperson, the firm experienced “an incident involving unauthorized access” to some stored data and files, adding: “We blocked the unauthorized access, and outside forensic experts have confirmed this.”
The company’s position — that no client data was actually exfiltrated or confirmed compromised — is expected to be a central defense argument as the case proceeds.
This Is Not Ameriprise’s First Data Security Incident
This latest lawsuit arrives against a backdrop of repeated cybersecurity incidents at the firm.
In April 2025, a separate breach occurred due to insider wrongdoing. Affected individuals were notified in early May 2025 and offered 12 months of identity theft protection through Equifax, including credit and dark web monitoring.
On August 26, 2025, Ameriprise discovered yet another breach stemming from a phishing incident involving an advisor’s staff member on November 11, 2025. That breach exposed a wide range of PII including Social Security numbers, driver’s license numbers, account values, net worth, and in some cases protected health information. The company notified affected consumers by mail on September 8, 2025, and the incident affected 598 current and former clients across the U.S.
Ameriprise Financial manages over $1.17 trillion in assets, making the security of its client records an issue with enormous financial and reputational stakes.
Legal Context: Why Financial Firms Face High Data Security Standards
Financial institutions like Ameriprise are subject to some of the strictest data protection obligations in U.S. law. The Gramm-Leach-Bliley Act (GLBA) requires financial services companies to implement safeguards protecting customer financial information. The FTC Safeguards Rule, updated in 2023, sets specific technical and administrative security requirements for financial institutions.
Beyond federal law, firms registered with FINRA (the Financial Industry Regulatory Authority) are expected to maintain cybersecurity programs commensurate with their size and the sensitivity of the data they hold.
Ameriprise and Cetera are the latest victims in an ongoing run of data breaches against financial services firms; other victims include Mercer, Hightower Advisors, Edelman Financial Engines, Beacon Pointe Advisors, and Pathstone Family Office. The pattern signals a targeted, industrywide threat — and regulators and plaintiffs’ attorneys are paying close attention.
Broader industry collaboration through threat intelligence platforms and coordinated disclosure programs has been recommended as a key defense against groups like ShinyHunters, with the ability to detect and contain intrusions quickly seen as critical to long-term resilience in financial services.
In data breach class actions, plaintiffs typically allege negligence (the company failed to use reasonable care to protect data), breach of implied contract (clients trusted the firm with their data under an implicit promise of security), and unjust enrichment. Courts have increasingly allowed data breach suits to proceed even where plaintiffs haven’t yet suffered documented financial loss, recognizing the elevated, ongoing risk of identity theft as sufficient harm.
Current Status and What Happens Next
The case was recently filed and is in its earliest stages. Ameriprise will have an opportunity to file a motion to dismiss — arguing, among other things, that no actual harm has been proven and that the unauthorized access was blocked before data was extracted. If the motion is denied, the case would enter discovery, during which both sides exchange evidence including Ameriprise’s internal cybersecurity records, incident reports, and communications about the breach.
The plaintiffs will simultaneously seek class certification — a legal determination that the case can proceed on behalf of all affected Ameriprise clients as a group, rather than just the named plaintiff. Class certification is often a pivotal moment; if granted, potential liability expands significantly.
Settlement discussions can begin at any stage. Given Ameriprise’s prior incidents and the reputational sensitivity of the allegations, early resolution is a realistic possibility — though not guaranteed.
Are You an Affected Ameriprise Client? Here’s What To Do Right Now
If you are or were an Ameriprise Financial client and are concerned about this breach, take these steps immediately:
- Monitor your credit reports at all three bureaus (Equifax, Experian, TransUnion) — you’re entitled to free weekly reports at AnnualCreditReport.com
- Place a fraud alert or credit freeze with all three bureaus if you suspect misuse
- Watch for phishing attempts — criminals who obtain your data may impersonate Ameriprise or other financial institutions
- Check your account statements for unauthorized transactions
- Save any notification letters from Ameriprise, as these may be relevant to any future claim
Frequently Asked Questions
What exactly was allegedly stolen in the Ameriprise data breach?
According to the lawsuit, the compromised data may include names, addresses, dates of birth, account information, payment card information, authentication credentials, financial transaction information, contact information, and Social Security numbers.
Who filed the lawsuit against Ameriprise?
Betty Lackey, a former Ameriprise client, filed the class action lawsuit. She is represented by Bryan L. Bleichner and Philip J. Krzeski of Chestnut Cambronne P.A., and Tyler J. Bean and Tanner R. Hilton of Siri & Glimstad LLP.
Who is ShinyHunters and why does it matter?
ShinyHunters is a digital extortion group that steals sensitive information from companies and threatens to leak it in exchange for ransom. Their involvement signals a professional, coordinated attack — not an opportunistic intrusion — which may strengthen arguments that Ameriprise should have been better prepared.
Has Ameriprise notified affected customers?
As of the filing date, the lawsuit specifically alleges that Ameriprise has not notified most affected customers. Ameriprise disputes the extent of any breach and states outside experts confirmed unauthorized access was blocked.
Could this case result in a payout to affected clients?
Potentially, yes — if the case proceeds as a class action and plaintiffs prevail or settle, affected Ameriprise clients could be eligible for compensation. No settlement amount or class definition has been established. Readers should monitor case developments at PACER (the federal courts’ public records system) under Case No. 0:26-cv-02128.
Is this Ameriprise’s first data breach?
No. A prior breach discovered in August 2025 affected 598 current and former clients, exposing Social Security numbers, account values, net worth, and in some cases protected health information. A separate April 2025 incident involved insider wrongdoing.
Last Updated: April 17, 2026
This article is for informational purposes only and does not constitute legal advice. Allegations in a complaint are not findings of fact. All parties are presumed innocent unless and until proven otherwise in court.
About the Author
Sarah Klein, JD, is a licensed attorney and legal content strategist with over 12 years of experience across civil, criminal, family, and regulatory law. At All About Lawyer, she covers a wide range of legal topics — from high-profile lawsuits and courtroom stories to state traffic laws and everyday legal questions — all with a focus on accuracy, clarity, and public understanding.
Her writing blends real legal insight with plain-English explanations, helping readers stay informed and legally aware.
Read more about Sarah