Data Breach Affecting Goldman Sachs Investment Clients Allegedly Exposes Social Security Numbers

A data breach involving the data of Goldman Sachs clients has been disclosed, affecting those connected to certain alternative investment funds and separately managed accounts. The incident did not impact Goldman Sachs’ own systems, but rather those of Fried Frank, a law firm serving as external counsel for the financial services giant.

The breach was first disclosed to affected investors in a letter dated Dec. 19, 2025, which was later filed as an exhibit in a class action complaint in the Southern District of New York. According to the complaint and related filings, the breach resulted in unauthorized access to highly sensitive documents and personally identifiable information (PII) stored on Fried Frank’s network.

The exact number of affected individuals has not been specified, but the class action seeks to represent all persons whose data was compromised and who were notified on or after Dec. 19.

According to the complaint, the information exposed in the incident includes data types provided to Goldman by its clients: names, contact and demographic information, government identification numbers such as Social Security numbers and driver’s license numbers, financial account information, and dates of birth.

The complaint further alleges that the breach may have also included sensitive personal data such as addresses, marital status, employer details, and banking information.

The breach allegedly occurred when cybercriminals intentionally targeted Fried Frank for the valuable PII it held. The attackers exploited vulnerabilities in the law firm’s systems, exfiltrated sensitive data, and may have posted some of this information on the dark web.

The complaint alleges that Fried Frank failed to implement adequate and reasonable cybersecurity procedures and protocols, which enabled the breach. As a result, affected individuals are now at heightened risk for identity theft, fraud, and other misuse of their personal information.

Goldman Sachs' & Fried Frank's response

Goldman Sachs has stated that its own systems were not impacted and remain secure. Upon learning of the incident, Goldman Sachs began working closely with Fried Frank to determine whether client data had been exposed. The analysis is ongoing, and Goldman Sachs has committed to providing client-specific notifications as more information becomes available.

Fried Frank responded to the incident by promptly containing the breach, engaging external data security experts to verify the security of its systems, and notifying law enforcement. According to Goldman Sachs’ letter, Fried Frank has provided an attestation from an independent forensics firm confirming that the vulnerabilities have been remediated and that the network is now secure. Goldman Sachs is also conducting its own assessment of Fried Frank’s security controls to independently validate these remediation efforts.

However, the class action complaint notes that, as of Dec. 24, Fried Frank had not directly notified all affected account holders or offered credit monitoring or other remediation services. Plaintiffs in the lawsuit are seeking damages and a requirement that the law firm pay for at least ten years of credit monitoring for those affected. Given the nature of the information exposed, affected individuals should closely monitor their financial accounts, consider placing fraud alerts or credit freezes, and remain vigilant for signs of identity theft or phishing attempts.