Data Breaches

Ameriprise Hit by SECOND Data Breach in 6 Months: 47K Customers' SSNs Stolen

The CyberSignal

The CyberSignal

2 min read
Share
Minimalist white line art of a financial bar chart with a red "2" superimposed, on a solid emerald green background, symbolizing a recurring second data breach.

ShinyHunters ransomware group accessed names, SSNs, and financial accounts of 47,876 customers; multiple class actions allege inadequate security.

MINNEAPOLIS, MN — For the second time in less than half a year, financial services giant Ameriprise Financial is reeling from a major cybersecurity failure. The firm has confirmed that an unauthorized third party gained access to its systems on March 18, 2026, compromising the highly sensitive personal and financial data of 47,876 customers.

The breach comes just six months after a previous security incident, signaling what analysts call a trend of systemic fragility in large-scale financial and healthcare institutions. According to filings with state Attorneys General, the impact is geographically widespread, including 2,527 victims in South Carolina, 2,390 in Texas, and 433 in New Hampshire. The compromised data includes full names, Social Security numbers (SSNs), dates of birth, home addresses, and financial account numbers.

Incident Profile: March 2026 Breach
Audit Detail Technical Finding
Threat Actor ShinyHunters — Ransomware / Extortion Group.
Exfiltration Volume Estimated 200GB of corporate and Salesforce data.
Primary Target 47,876 customer PII / Financial records.

ShinyHunters and the Litigation Wave

Security intelligence reports suggest the ShinyHunters group is responsible for the intrusion, allegedly exfiltrating over 200GB of corporate data, including Salesforce records. While Ameriprise blocked the access on the same day it was detected (March 18), the depth of the data exfiltrated has already triggered a wave of litigation in Minnesota federal court.

Multiple class action lawsuits, spearheaded by firms such as Federman & Sherwood and Edelson Lechtzin LLP, allege that Ameriprise failed to notify victims promptly and maintained inadequate security protocols despite the clear targeting of the financial sector. Plaintiffs Betty Lackey and Pamela Caffrey argue that the leak creates a "lifetime" risk of identity theft for the nearly 48,000 affected customers.

Ameriprise is currently offering affected individuals 12 months of Equifax Complete Premier credit monitoring, which includes three-bureau monitoring and dark web scanning. However, for a sector already bruised by recent attacks on firms like Cetera and Hightower, the recurring nature of these breaches suggests a broader need for rigorous financial data protection standards.

The CyberSignal Analysis

Signal 01 — The "Six-Month Relapse"

The most alarming aspect of this incident is the timing. A second breach within six months suggests that either the initial remediation was incomplete, or the firm's attack surface is too vast for its current defensive posture. When a financial institution loses SSNs twice in half a year, it moves from "victim of a hack" to "subject of systemic risk."

Signal 02 — The Salesforce Supply Chain

The involvement of Salesforce records in the exfiltration report points to a growing trend: threat actors are no longer just hitting the "vault"; they are hitting the CRM. For financial advisors, the CRM is the true treasure trove, containing the intimate financial profiles that allow for high-precision phishing and identity fraud.

To stay updated on ongoing litigation and sector-wide vulnerabilities, visit our data breach archive.

Sources

Type Source
Industry News AdvisorHub: Second Breach Analysis
State Data ClaimDepot: State — by — State Impact
Legal Tracking TopClassActions: Lackey v. Ameriprise

Read more