Skip to main content
A man sees his private data publicly available online, prompting him to consider filing an AI data security lawsuit

Hennessy Advisors Data Breach

Written by Joseph Lyon on . Posted in Data Breach.

Hennessy Advisors, a California-based investment management company, detected unauthorized access to its computer systems. The company has confirmed that sensitive personal and financial information belonging to over 12,600 investors had been accessed and released by an unknown third party without authorization. Notification letters did not reach affected individuals until February 23, 2026 — almost eleven months after the initial discovery. 

What Happened at Hennessy Advisors?

On March 30, 2025, Hennessy Advisors — a publicly traded investment management company headquartered in Novato, California — detected suspicious activity within its computer systems. The company manages over $4 billion in assets across 17 mutual funds and ETFs, serving thousands of individual investors.

After launching an internal investigation and bringing in third-party cybersecurity professionals, Hennessy Advisors eventually confirmed that unauthorized actors had accessed and released private investor data without permission. It was not until late December 2025 — nearly nine months after the initial discovery — that the company confirmed the full scope of the unauthorized data exposure. Breach notification letters were sent to affected individuals beginning February 23, 2026. According to filings with the Maine Attorney General, approximately 12,643 individuals were impacted.

The extended gap between the initial breach discovery and individual notification raises serious questions about transparency, data security governance, and compliance with applicable state laws.

What Data Was Exposed?

While Hennessy Advisors has not publicly released a comprehensive breakdown of every data type compromised, affected investors were informed about the specific categories of their own information that may have been accessed. Given the nature of an investment management firm, the potentially exposed data could include names, Social Security numbers, financial account details, addresses, and other personally identifiable information — the very combination that makes identity theft and financial fraud most dangerous.

California Law and Your Rights as a Breach Victim

California has among the nation’s strongest data breach protections. As of January 1, 2026, California’s newly enacted Senate Bill 446 now mandates strict deadlines for notifying both affected individuals and the state attorney general following a breach. The fact that Hennessy Advisors is based in California and serves California investors means affected parties may have meaningful remedies under state law.

Under the California Consumer Privacy Act (CCPA) and related statutes, consumers whose non-encrypted personal information is accessed due to a company’s failure to maintain reasonable security measures may bring a private civil action. Statutory damages can range from $100 to $750 per consumer per incident — or actual damages, whichever is greater. In a breach involving over 12,000 individuals, that exposure is substantial.

Why the Notification Delay Is a Concern

One of the most troubling aspects of this breach is the timeline. The suspicious activity was discovered in March 2025, yet investors were not notified until February 2026 — nearly eleven months later. California law requires companies to notify affected consumers in the most expedient time possible and without unreasonable delay. A delay of this length demands scrutiny and may form the basis of legal claims beyond those tied directly to the breach itself.

What You Should Do If You Received a Notice

If you received a breach notification letter from Hennessy Advisors, do not ignore it. Start by reviewing your financial accounts and credit reports for any unusual activity. Enroll in the complimentary credit monitoring services the company is offering — but understand that accepting this offer does not waive your legal rights.

Most importantly, speak with a data breach attorney who can evaluate whether you have a claim and what compensation may be available to you.

How The Lyon Firm Can Help

At The Lyon Firm, we represent individuals whose personal and financial data has been compromised through corporate negligence. If you are among the thousands of investors affected by the Hennessy Advisors breach, our legal team is ready to review your case, explain your rights under California and federal law, and pursue the accountability you deserve.

Data breaches are not just inconveniences — they are failures of corporate responsibility. You have the right to hold negligent companies accountable.

Contact the data breach lawyers at The Lyon Firm today for a free, confidential consultation.

CONTACT THE LYON FIRM TODAY

Please complete the form below for a FREE consultation.

  • This field is for validation purposes and should be left unchanged.