Financial documents and calculator on a desk

TL;DR: Hightower Holding, one of America's largest independent wealth management firms, disclosed that hackers stole sensitive data from 131,483 clients. Attackers used compromised employee credentials to access the network on two separate occasions in January 2026, downloading Social Security numbers, financial account information, and investment records. The company waited 2.5 months to notify affected individuals.

What happened

Between January 8-9, 2026, an unauthorized party logged into Hightower's network using a stolen employee account credential. They downloaded files containing client data. Then, 10 days later on January 19-20, someone accessed the network again through a different compromised account and grabbed more files.

Hightower says they discovered the intrusion on January 9, 2026. But notification letters didn't start going out until March 23, 2026, giving criminals a 2.5-month head start to exploit the stolen data.

The exposed information includes:

  • Full legal names and home addresses
  • Social Security numbers
  • Dates of birth
  • Driver's license numbers
  • Financial account information
  • Investment account records

That's the full identity theft package, plus detailed financial records that reveal exactly how much money victims have and where they keep it.

Who got hit

The final count: 131,483 individuals across the United States, including 1,557 Maine residents (one of the first states to require breach reporting with specific numbers).

Hightower Holding operates "one of the country's largest independent wealth management firms" according to their own materials. The Chicago-based parent company runs several subsidiaries:

  • Hightower Advisors, LLC – registered investment advisors
  • Hightower Securities, LLC – securities services
  • Hightower Trust Company, N.A. – trust administration

These firms provide investment management, financial planning, retirement solutions, and trust services to high-net-worth individuals across the U.S. If you work with a Hightower advisor, your data may be exposed.

How attackers got in: the credential problem

This wasn't a sophisticated zero-day exploit or nation-state hacking operation. Someone stole employee login credentials (likely through phishing, credential stuffing, or malware) and walked right in.

The fact that attackers accessed the network through two different compromised accounts over 10 days suggests either multiple employees fell for the same attack, or credentials were being sold or shared. Neither scenario inspires confidence.

For a firm managing billions in client assets, the lack of security controls that would detect or prevent credential-based access is concerning. Basic protections like multi-factor authentication, anomaly detection for unusual login patterns, or data loss prevention tools should have raised flags when someone started bulk-downloading client files.

Why wealth management breaches hit harder

When a retail store gets breached, attackers get names and maybe credit card numbers. When a wealth management firm gets breached, attackers get a complete financial profile:

  • Net worth and asset allocation
  • Bank account and brokerage account details
  • Investment strategies and positions
  • Tax identification information
  • Estate planning documents

This makes Hightower clients prime targets for sophisticated fraud. Attackers know exactly how much money victims have and can craft convincing social engineering attacks referencing real account details. "Hi, I'm calling from Hightower about your IRA rollover we discussed" becomes a lot more believable when the caller knows your actual account balance.

Wire fraud, investment scams, and tax fraud are all on the table. And high-net-worth individuals make attractive targets because a single successful scam can net hundreds of thousands of dollars.

The 2.5-month notification gap

Hightower discovered the breach on January 9, 2026. Notification letters went out on March 23, 2026. That's 73 days.

During those 73 days:

  • Criminals could have filed fraudulent 2025 tax returns using stolen SSNs
  • Stolen credentials could have been sold and resold on dark web markets
  • Identity thieves could have opened accounts, taken out loans, or committed other fraud
  • Victims had no idea they needed to protect themselves

Multiple state laws require breach notification within 30-60 days. Law firms are already investigating whether Hightower violated notification requirements.

What you should do

Freeze your credit immediately

With SSN, DOB, and driver's license number exposed, you're wide open for identity theft. Freeze your credit at Equifax, Experian, and TransUnion today. It's free and takes about 10 minutes per bureau.

File an IRS Identity Protection PIN

Tax season is active. Get an IP PIN from the IRS at irs.gov to prevent fraudulent tax returns filed in your name.

Review your investment accounts

Check all accounts held at Hightower and other institutions for unauthorized access, trades, or address changes. Set up alerts for any account modifications.

Watch for targeted scams

Expect convincing phishing attempts that reference your real financial details. Verify any calls about your accounts by hanging up and calling the firm directly using a number you know is legitimate.

Free monitoring

Hightower is offering 12 months of identity monitoring and credit monitoring services. The notification letter includes enrollment details. This is helpful but not a substitute for credit freezes.

References

  1. PR Newswire - PRIVACY ALERT: Hightower Holding LLC Under Investigation for Data Breach of Over 131,000 Records
  2. GlobeNewswire - Hightower Holding, LLC Data Breach Exposes Personal Information: Murphy Law Firm Investigates Legal Claims
  3. The Lyon Firm - Hightower Holding Data Breach: What 131,000 Affected Clients Need to Know
  4. Markovits, Stock & DeMarco - Hightower Holding Data Breach Class Action Investigation
  5. Wolf Haldenstein - Hightower Holding LLC Data Breach Alert