Cybersecurity Breach at Edelman Financial Engines Highlights Growing Risks for Advisory Firms
From the desk of Jim Eccleston at Eccleston Law
A recent cybersecurity incident involving Edelman Financial Engines has drawn attention to the increasing number of cyberattacks targeting registered investment advisers, according to Financial Advisor News.
Regulatory filings submitted to the attorney general of Maine indicate that Edelman experienced a data breach that exposed sensitive personal information belonging to more than 5,000 clients. As Financial Advisor News reports, the firm detected the unauthorized activity shortly after the incident occurred.
According to a notice the firm submitted to the California Department of Justice, an unauthorized third party accessed information maintained by the firm on January 7, 2026. Edelman discovered the intrusion the following day and moved quickly to terminate the unauthorized access and investigate the incident with assistance from external cybersecurity experts.
In a letter to affected clients, the firm stated that the compromised data included names, dates of birth, addresses, phone numbers, email addresses, and certain financial planning information. Edelman also disclosed to the Massachusetts Office of Consumer Affairs and Business Regulation that Social Security numbers belonging to 26 residents had been accessed.
Edelman informed clients that the incident did not involve access to their Edelman Financial Engines account information. The firm also stated that it will provide affected individuals with 24 months of complimentary credit monitoring services, according to Financial Advisor News.
State laws require companies to disclose breaches involving unencrypted personal information. In jurisdictions such as California, firms must submit a sample notification letter when a breach affects more than 500 residents, as Financial Advisor News notes.
The disclosure comes amid a broader wave of cybersecurity threats targeting wealth management firms. According to Financial Advisor News, the cybercrime group ShinyHunters recently claimed responsibility for attacks involving Mercer Advisors and Beacon Pointe Advisors.
The group reportedly threatened to release stolen client data on the dark web unless the firms contacted the attackers and paid a ransom. A spokesperson for Mercer Advisors confirmed that unauthorized access occurred within certain systems used to store client information. The firm stated that it launched an investigation with cybersecurity specialists and notified law enforcement authorities.
On February 20, Beacon Pointe reported a separate data breach to Massachusetts regulators involving three state residents. The compromised data reportedly included Social Security numbers, driver's license numbers, and financial account information. A source familiar with the situation told Financial Advisor News that the breach did not involve custodian account data.
As Financial Advisor News reports, cybersecurity incidents involving financial advisory firms have increased in recent months. Advisory firms maintain extensive collections of personally identifiable information and financial planning records, which can make them attractive targets for cybercriminals.
According to data from the Massachusetts Office of Consumer Affairs and Business Regulation cited by Financial Advisor News, at least 15 financial firms reported data breaches affecting state residents between January 1 and February 20. The list includes firms such as Ameriprise Financial Services, PNC Financial Services, Raymond James, CFD Investments, and Wells Fargo Clearing Services.
Eccleston Law LLC represents investors and financial advisors nationwide in securities, employment, transition, regulatory, and disciplinary matters.
Tags: eccleston, eccleston law, cybersecurity, registered investment advisers, data breach, securities law, financial advisors
