Sensitive personal information including names, Social Security numbers, and driver’s license numbers was exposed after unauthorized access to a financial services company’s computer network, according to a newly filed class action lawsuit. The legal complaint claims that inadequate security measures led to the compromise of private data, putting thousands of individuals at risk of identity theft and fraud.
The lawsuit was filed by Elliott Adams on March 24, 2026, in the United States District Court for the Northern District of Illinois against Hightower Holding, LLC. Adams brings the suit individually and on behalf of all others similarly situated whose information was impacted by what is described as a significant data breach.
According to the complaint, Hightower Holding is a Chicago-based holding company that provides financial and retirement planning, wealth management, and investment advisory services through its subsidiaries. The plaintiff alleges that the company had statutory, regulatory, contractual, and common law duties to keep private information confidential and secure from unauthorized disclosure or access.
The document states that on January 9, 2026, Hightower became aware of a compromised account which allowed unauthorized access to its IT network. An internal investigation determined that between January 8 and January 9 certain files were downloaded without authorization. The types of information believed to have been compromised include names, Social Security numbers, and driver’s license numbers.
Despite learning about the breach in early January, Hightower did not issue a public disclosure notice until March 23—more than three months later. The complaint asserts that this delay deprived affected individuals of timely warning needed to take steps to protect themselves from potential misuse of their personal information.
The filing outlines several legal claims against Hightower Holding: negligence; negligence per se (based on alleged violations of Section 5 of the Federal Trade Commission Act); unjust enrichment; and breach of implied contract. Adams contends that he and other class members entrusted their private information with an expectation it would be kept safe. “Defendant owed Plaintiff and Class Members a duty to take all reasonable and necessary measures to keep the Private Information collected safe and secure from unauthorized access,” according to the complaint.
The lawsuit further argues that Hightower failed to implement industry-standard cybersecurity practices such as multi-factor authentication, employee training programs regarding cyber threats like ransomware or phishing attacks, strong password protocols, regular system monitoring for suspicious activity, encryption for stored data, patch management systems for software updates, firewalls configured against malicious IP addresses, malware detection software installation, limiting privileged account use based on necessity only—and more.
Plaintiff alleges these failures violate both federal guidelines issued by agencies such as the Federal Trade Commission (FTC) as well as established industry standards like those outlined by the National Institute of Standards and Technology (NIST) Cybersecurity Framework Version 2.0.
Adams describes suffering actual harm due to the incident—including lost time spent monitoring accounts for fraudulent activity; emotional distress; loss of privacy; diminished value of his personal information; increased spam communications; fear over future misuse; and ongoing risk related to identity theft or fraud. He also claims he experienced an uptick in spam messages following news of the breach.
The proposed class includes all persons in the United States who were impacted by the data breach publicly announced by Hightower Holding. The suit seeks certification as a class action so that damages can be pursued collectively rather than through individual lawsuits—a process described as more efficient given potentially thousands are affected.
Among other remedies sought are actual damages in amounts determined by court or jury; statutory damages or penalties where available; pre-judgment interest; restitution; attorneys’ fees; costs; expenses; declaratory relief finding defendant’s conduct unlawful under relevant statutes; injunctive relief requiring improved security practices going forward—and any other relief deemed appropriate by the court.
Elliott Adams is represented by attorney Gary M. Klinger of Milberg PLLC in Chicago. The case number is 1:26-cv-3267.
Source: 126cv3267_Elliott_Adams_v_Hightower_Complaint_Northern_District_of_Illinois.pdf
