Goldman Sachs Warns Investors of Law Firm Data Breach at Fried Frank

Goldman Sachs has notified investors in its alternative investment funds that their personal data may have been exposed in a breach at outside counsel Fried Frank Harris Shriver & Jacobson LLP. The incident has already triggered a class action lawsuit against the law firm, highlighting the persistent risks organizations face from their legal and advisory partners.

TL;DR

• What happened: Fried Frank, a major law firm serving as Goldman Sachs' outside counsel, suffered a cybersecurity incident exposing fund investor data
• Who's affected: Investors in Goldman Sachs alternative investment funds whose information was held by the law firm
• Severity: Medium-High - sensitive financial and personal data of high-net-worth individuals exposed
• Action required: Affected investors should monitor for identity theft and consider credit freezes

What Happened?

In a December 19 letter to affected investors, Goldman Sachs disclosed that Fried Frank had informed them of a "cybersecurity incident" affecting data the law firm held on behalf of Goldman's alternative investment funds. Goldman stated it was working with the law firm "to better understand whether our data or our clients' data may have been exposed."

Goldman Sachs emphasized that its own systems were not impacted. "Goldman Sachs' systems were not impacted by this incident and remain secure," a spokesperson said. The breach occurred entirely within Fried Frank's infrastructure.

Fried Frank acknowledged the incident in a statement: "Fried Frank recently experienced a data security incident. We promptly acted to contain the incident and engaged industry-leading, external data security experts to assist in our response and in verifying the security of our systems and reported the matter to law enforcement."

Class Action Already Filed

A class action lawsuit was filed in the U.S. District Court for the Southern District of New York within days of the disclosure. The complaint alleges Fried Frank "failed to adequately safeguard the sensitive personal information" of account investments associated with Goldman Sachs private equity funds.

According to the lawsuit, Goldman Sachs Asset Management confirmed that the security incident might have exposed account holders' information. The complaint further alleges that Fried Frank hasn't notified account holders directly or offered credit monitoring services. Victims "can face multiple years of ongoing identity theft," the filing states.

Why Law Firms Are Prime Targets

Law firms hold extraordinarily sensitive information: merger details, litigation strategies, regulatory filings, and client personal data. They're attractive targets precisely because they aggregate confidential information from multiple clients.

The legal industry has faced a wave of breaches in recent years. Firms often lag behind their corporate clients in security maturity, operating with legacy systems and cultures that prioritize client service over security friction. And attorneys frequently resist security controls that slow their work.

For alternative investment funds specifically, law firms maintain investor records including accreditation documentation, tax information, and wire transfer details—everything an attacker needs for targeted fraud.

Third-Party Risk Management Implications

This incident illustrates why third-party risk management programs must extend beyond technology vendors. Professional services firms—accountants, law firms, consultants—often have deep access to sensitive data but receive less security scrutiny than cloud providers or IT vendors.

Organizations should evaluate their law firm relationships with the same rigor applied to other third parties: security questionnaires, contract requirements for breach notification, and potentially on-site assessments for firms handling the most sensitive matters.

Recommended Actions

1. Review third-party access - Audit which professional services firms hold your organization's sensitive data
2. Update contracts - Ensure breach notification requirements and security standards are codified in engagement letters
3. Limit data sharing - Share only the minimum necessary information with outside counsel
4. Monitor for fraud - Investors affected by this breach should watch for targeted phishing and wire fraud attempts
5. Consider cyber insurance - Verify coverage extends to third-party incidents

Frequently Asked Questions

How do I know if my investment data was exposed?

Goldman Sachs is sending letters to affected investors. If you're an investor in Goldman Sachs alternative investment funds and haven't received notification, contact Goldman's investor relations team directly.

Should I freeze my credit if I'm affected?

A credit freeze is a reasonable precaution for anyone whose personal financial information was exposed. It's free to place and lift freezes with all three major bureaus.

Is Goldman Sachs liable for the breach?

Goldman Sachs' systems weren't compromised—the breach occurred at their law firm. Liability questions will likely center on whether Fried Frank had adequate security measures and whether Goldman exercised appropriate vendor oversight. These questions will be litigated in the pending class action.