Wojeski & Company, a public accounting firm, suffered two significant data breaches within a year. The first incident in July 2023 involved a ransomware attack triggered by a phishing email, compromising sensitive customer data. The second breach in May 2024 occurred when an employee—hired to investigate the 2023 incident—improperly accessed customer data in files shared for review. The breaches exposed 6,232 individuals' personal information, including names, dates of birth, Social Security numbers, driver’s license numbers, financial account details, medical benefits, and entitlement records. Wojeski failed to notify affected customers until November 2024, nearly a year after the initial attack. The New York Attorney General’s settlement required the firm to pay $60,000 in penalties and implement stricter security measures, including encryption, cybersecurity training, and incident response reforms.
Source: https://natlawreview.com/article/br-privacy-security-download-november-2025
TPRM report: https://www.rankiteo.com/company/bstcocpa
"id": "bst3203032110725",
"linkid": "bstcocpa",
"type": "Ransomware",
"date": "7/2023",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'industry': 'Software/Tech',
'location': 'California, USA',
'name': 'California Operating System Providers & App '
'Developers',
'type': 'Technology Companies'},
{'customers_affected': '≥60,000 consumers (or ≥20,000 '
'if data sales comprise ≥20% '
'revenue).',
'industry': 'Multiple',
'location': 'Massachusetts, USA',
'name': 'Massachusetts Businesses Handling Consumer '
'Data',
'type': 'Data Controllers/Processors'},
{'industry': 'Multiple',
'location': 'Pennsylvania, USA',
'name': 'Pennsylvania Businesses (>$10M Revenue)',
'type': 'Data Controllers/Processors'},
{'industry': 'Finance',
'location': 'New York, USA',
'name': 'NYDFS Covered Entities (Financial Services)',
'type': 'Financial Institutions'},
{'customers_affected': '825,000+ New Yorkers.',
'industry': 'Insurance',
'location': 'New York, USA',
'name': 'Auto Insurance Companies (8 unnamed)',
'type': 'Insurance Providers'},
{'customers_affected': '6,232 individuals.',
'industry': 'Accounting',
'location': 'New York, USA',
'name': 'Wojeski & Company',
'type': 'Public Accounting Firm'},
{'customers_affected': 'Children under 13 (exact number '
'unspecified).',
'industry': 'Technology',
'name': 'Iconic Hearts Holdings (Sendit App)',
'type': 'Social Media/Tech'},
{'customers_affected': 'Children (exact number '
'unspecified).',
'industry': 'Technology/Entertainment',
'location': 'Florida, USA (subsidiary)',
'name': 'Roku, Inc.',
'type': 'Streaming Device Company'},
{'customers_affected': 'Minors (exact number '
'unspecified).',
'industry': 'Technology',
'location': 'USA (HQs)',
'name': 'Meta (Facebook/Instagram), Snap Inc., '
'TikTok/ByteDance, Google/YouTube',
'type': 'Social Media Platforms'},
{'customers_affected': '150 patients.',
'industry': 'Healthcare',
'name': 'Cadia Healthcare Facilities',
'type': 'Healthcare Provider'},
{'customers_affected': 'Class action plaintiff (Michael '
'Salazar).',
'industry': 'Entertainment/Sports',
'location': 'USA',
'name': 'NBA',
'type': 'Sports League'}],
'data_breach': {'data_exfiltration': [{'incident': 'Auto Insurers Breach',
'status': 'Data used for fraudulent '
'unemployment claims.'}],
'number_of_records_exposed': ['825,000+ (Auto Insurers)',
'6,232 (Wojeski & Co.)',
'150 (Cadia Healthcare)',
'Unspecified (Roku, Sendit).'],
'personally_identifiable_information': ['Names',
'Dates of birth',
'SSNs',
'Driver’s license '
'numbers',
'Phone numbers',
'Geolocation data',
'Voice recordings',
'Photos',
'Social media '
'usernames',
'Health treatment '
'details.'],
'sensitivity_of_data': ['High (SSNs, driver’s license '
'numbers, health data, children’s '
'data).'],
'type_of_data_compromised': ['Driver’s license numbers (Auto '
'Insurers)',
'Household driver data (Auto '
'Insurers)',
'Names, dates of birth, SSNs, '
'financial account numbers '
'(Wojeski & Co.)',
'Precise geolocation, viewing '
'habits, voice recordings (Roku)',
'Phone numbers, birthdates, '
'photos, social media usernames '
'(Sendit)',
'Patient names, photographs, '
'treatment details (Cadia '
'Healthcare).']},
'date_publicly_disclosed': ['2025-09-23 (New Zealand Privacy Amendment Act)',
'2025-10-01 (FTC shutdown)',
'2025-10-XX (Various regulatory updates and '
'enforcement actions)'],
'description': [{'details': 'California Governor Gavin Newsom signed the '
'California Digital Age Assurance Act, '
'requiring age verification interfaces for '
'devices and apps, with enforcement by the '
'California Attorney General. Penalties include '
'up to $2,500 (negligent) or $7,500 (intentional) '
'per affected child. Effective January 1, 2027 '
'(or July 1, 2027 for pre-existing accounts).',
'type': 'Regulatory Update'},
{'details': 'Massachusetts Senate passed the Massachusetts '
'Data Privacy Act (MDPA), applying to entities '
'handling data of ≥60,000 consumers (or ≥20,000 '
'if data sales comprise ≥20% revenue) or '
'processing reproductive/sexual health data. '
'Includes consumer rights (access, correct, '
'delete, opt-out), sensitive data restrictions, '
'and privacy notices. Enforcement by the Attorney '
'General with penalties up to $5,000 per '
'violation. Effective January 1, 2027 (some '
'provisions June 1, 2027).',
'type': 'Regulatory Update'},
{'details': 'Pennsylvania House approved the Consumer Data '
'Privacy Act, granting rights to access, '
'correct, delete, and opt-out of data processing. '
'Applies to businesses with >$10M annual revenue. '
'Enforced by the Attorney General under state '
'Unfair Trade Practices law.',
'type': 'Regulatory Update'},
{'details': 'NYDFS issued Guidance on Managing Third-Party '
'Service Provider Risk, emphasizing proactive '
'due diligence, contract provisions (e.g., access '
'controls, breach notification), ongoing '
'monitoring, and secure offboarding. Compliance '
'responsibility remains with Covered Entities.',
'type': 'Regulatory Guidance'},
{'details': 'Minnesota and New Hampshire joined the '
'Consortium of Privacy Regulators, expanding '
'cross-jurisdictional enforcement of state '
'privacy laws (e.g., Minnesota’s Consumer Data '
'Privacy Act, New Hampshire’s Data Privacy Act). '
'The Consortium coordinates investigations and '
'shares resources.',
'type': 'Regulatory Enforcement'},
{'details': 'Two U.S. cybersecurity initiatives expired due '
'to congressional gridlock: Cybersecurity '
'Information Sharing Act (CISA) of 2015 (legal '
'protections for threat data sharing) and the '
'State and Local Cybersecurity Grant Program '
'($1B for state/local cyber defenses).',
'type': 'Federal Cybersecurity Lapse'},
{'details': 'FTC shutdown during funding lapse disabled '
'consumer protection services, including '
'ReportFraud.ftc.gov, IdentityTheft.gov, '
'Econsumer.gov, and the National Do Not '
'Call Registry. No action will be taken until '
'government reopens.',
'type': 'Federal Service Shutdown'},
{'details': 'The Joint Commission and Coalition for Health '
'AI (CHAI) issued guidance on responsible AI '
'use in healthcare, covering governance, '
'transparency, data security, bias assessments, '
'and staff training.',
'type': 'Healthcare AI Guidance'},
{'details': 'Bipartisan GUARD Act introduced to regulate '
'AI chatbots for minors, requiring age '
'verification, account linking, harmful content '
'prohibitions, and user data safeguards. Fines up '
'to $100,000 for violations.',
'type': 'Federal Legislation'},
{'details': 'Court dismissed VPPA class action against the '
'NBA (Salazar v. NBA) for Meta Pixel data '
'sharing, ruling that Facebook IDs and video '
'titles do not qualify as ‘personally '
'identifiable information’ under the VPPA’s '
'‘ordinary person’ standard.',
'type': 'Litigation'},
{'details': 'Court dismissed National Retail Federation’s '
'challenge to New York’s Algorithmic Pricing '
'Disclosure Act, which requires merchants to '
'disclose algorithmically set prices. The '
'compelled disclosure was deemed factual and '
'non-controversial under *Zauderer*.',
'type': 'Litigation'},
{'details': 'New Jersey Supreme Court agreed to review '
'Daniel’s Law, focusing on the mental state '
'required for liability under the statute, which '
'restricts disclosure of personal information of '
'judges, prosecutors, and law enforcement '
'officers.',
'type': 'Litigation'},
{'details': 'FTC filed a complaint against Iconic Hearts '
'Holdings (Sendit app) for violating COPPA, '
'the FTC Act, and ROSCA. Allegations include '
'collecting children’s data without parental '
'consent, deceptive subscription practices, and '
'failing to disclose subscription terms.',
'type': 'Enforcement Action'},
{'details': 'Florida AG sued Roku for violating the '
'Florida Digital Bill of Rights (FDBOR) and '
'FDUTPA, alleging it collected and sold '
'children’s sensitive data (geolocation, voice '
'recordings) without consent and enabled '
'reidentification of deidentified data.',
'type': 'Enforcement Action'},
{'details': 'New York City sued Meta, Snap, '
'TikTok/ByteDance, and Google/YouTube for '
'designing addictive features (e.g., infinite '
'scroll, algorithmic feeds) targeting minors, '
'contributing to youth mental health crises. '
'Claims include public nuisance and negligence.',
'type': 'Enforcement Action'},
{'details': 'OCR settled with Cadia Healthcare Facilities '
'for HIPAA violations after posting 150 '
'patients’ success stories (names, photos, '
'treatment details) without authorization. '
'Settlement includes $182,000 fine and a 2-year '
'corrective action plan.',
'type': 'Enforcement Settlement'},
{'details': 'New York AG settled with 8 auto insurers for '
'a data breach exposing 825,000+ New Yorkers’ '
'data via an exploitable ‘pre-fill’ tool. '
'Settlement includes $14.2M in penalties and '
'mandatory security measures (e.g., '
'authentication, monitoring).',
'type': 'Enforcement Settlement'},
{'details': 'New York AG settled with Wojeski & Company '
'(accounting firm) for two data breaches (2023 '
'ransomware attack and 2024 improper access by an '
'investigator). Affected 6,232 individuals; '
'settlement includes $60,000 fine and security '
'measures (encryption, training).',
'type': 'Enforcement Settlement'},
{'details': 'New Zealand’s Privacy Amendment Act 2025 '
'introduces a new notification requirement '
'(Information Privacy Principle 3A) for indirect '
'personal data collection, effective May 1, 2026. '
'Exemptions apply for intelligence/security '
'agencies.',
'type': 'International Regulation'},
{'details': 'EDPB and European Commission issued joint '
'guidelines on GDPR-DMA interplay, addressing '
'gatekeeper compliance, end-user consent, data '
'portability, and interoperability. Public '
'consultation open until December 4, 2025.',
'type': 'International Guidance'},
{'details': 'European Commission launched Apply AI '
'Strategy (€1B funding) and AI in Science '
'Strategy (€3B+ research funding) to accelerate '
'AI adoption in industry and science, focusing on '
'workforce readiness, infrastructure, and '
'strategic datasets.',
'type': 'International Initiative'}],
'impact': {'brand_reputation_impact': [{'impact': 'Allegations of addictive '
'design contributing to '
'youth mental health crises '
'(anxiety, depression, '
'eating disorders).',
'incident': 'NYC v. Social Media '
'Platforms'},
{'impact': 'Willful disregard for '
'children’s privacy and '
'deceptive data practices.',
'incident': 'Roku Enforcement '
'Action'}],
'data_compromised': [{'data': 'Driver’s license numbers, household '
'driver data (825,000+ New Yorkers).',
'incident': 'Auto Insurers Breach'},
{'data': 'Names, dates of birth, SSNs, '
'driver’s license numbers, financial '
'account numbers, medical benefits '
'(6,232 individuals).',
'incident': 'Wojeski & Company Breaches'},
{'data': 'Precise geolocation, viewing '
'habits, voice recordings '
'(children’s data).',
'incident': 'Roku Enforcement Action'},
{'data': 'Phone numbers, birthdates, photos, '
'usernames for social media accounts '
'(children under 13).',
'incident': 'Sendit App (Iconic Hearts)'},
{'data': '150 patients’ names, photographs, '
'treatment/condition details.',
'incident': 'Cadia Healthcare'}],
'downtime': [{'incident': 'FTC Shutdown',
'services': 'ReportFraud.ftc.gov, IdentityTheft.gov, '
'Econsumer.gov, National Do Not Call '
'Registry (temporary).'}],
'financial_loss': [{'amount': '$14.2 million',
'incident': 'Auto Insurers Settlement'},
{'amount': '$60,000',
'incident': 'Wojeski & Company Settlement'},
{'amount': '$182,000',
'incident': 'Cadia Healthcare Settlement'}],
'identity_theft_risk': [{'incident': 'Auto Insurers Breach',
'risk': 'Exposed data used to file '
'fraudulent unemployment claims '
'during COVID-19.'}],
'legal_liabilities': [{'incident': 'California Digital Age '
'Assurance Act',
'liability': 'Up to $7,500 per affected '
'child for intentional '
'violations.'},
{'incident': 'Massachusetts Data Privacy Act',
'liability': 'Up to $5,000 per violation '
'(enforced by Attorney '
'General).'},
{'incident': 'GUARD Act (Proposed)',
'liability': 'Fines up to $100,000 for '
'violations.'},
{'incident': 'NYC v. Social Media Platforms',
'liability': 'Public nuisance and '
'negligence claims; potential '
'injunctive relief and '
'damages.'}]},
'initial_access_broker': {'entry_point': [{'entry': 'Phishing email.',
'incident': 'Wojeski & Company '
'(2023)'},
{'entry': 'Exploitable ‘pre-fill’ '
'function in online tool.',
'incident': 'Auto Insurers '
'Breach'}],
'high_value_targets': [{'incident': 'Auto Insurers '
'Breach',
'targets': 'Driver’s '
'license '
'numbers, '
'household '
'data.'},
{'incident': 'Wojeski & '
'Company '
'Breaches',
'targets': 'SSNs, financial '
'account '
'numbers, '
'medical '
'benefits.'}]},
'investigation_status': [{'incident': 'Auto Insurers Breach',
'status': 'Resolved (settlement reached).'},
{'incident': 'Wojeski & Company Breaches',
'status': 'Resolved (settlement reached).'},
{'incident': 'Sendit App (Iconic Hearts)',
'status': 'Ongoing (FTC complaint filed).'},
{'incident': 'Roku Enforcement Action',
'status': 'Ongoing (lawsuit filed).'},
{'incident': 'NYC v. Social Media Platforms',
'status': 'Ongoing (lawsuit filed).'},
{'incident': 'Cadia Healthcare HIPAA Violation',
'status': 'Resolved (settlement reached).'},
{'incident': 'FTC Shutdown',
'status': 'Temporary (services to resume '
'post-government reopening).'},
{'incident': 'CISA and Cybersecurity Grant Program '
'Expiry',
'status': 'Pending (reauthorization required by '
'Congress).'}],
'lessons_learned': ['Proactive third-party risk management is critical (NYDFS '
'Guidance).',
'Age verification and children’s data protection are '
'increasingly regulated (California Act, GUARD Act, COPPA '
'enforcement).',
'Transparency in algorithmic pricing is legally required '
'(New York Algorithmic Pricing Disclosure Act).',
'Healthcare providers must obtain explicit authorization '
'for patient data use in marketing (Cadia Healthcare '
'case).',
'Pre-filled forms can create significant vulnerabilities '
'if not secured (Auto Insurers breach).',
'Cross-jurisdictional enforcement of privacy laws is '
'growing (Consortium of Privacy Regulators).',
'AI deployment in healthcare requires robust governance '
'and bias assessments (Joint Commission/CHAI Guidance).'],
'post_incident_analysis': {'corrective_actions': [{'actions': ['Secure '
'pre-fill '
'tools',
'Implement '
'authentication '
'procedures',
'Enhance '
'logging/monitoring.'],
'incident': 'Auto '
'Insurers'},
{'actions': ['Encrypt '
'personal '
'information',
'Conduct '
'cybersecurity '
'training',
'Improve '
'third-party '
'access '
'controls.'],
'incident': 'Wojeski & '
'Company'},
{'actions': ['Comply with '
'COPPA '
'(parental '
'consent, data '
'minimization)',
'Cease '
'deceptive '
'subscription '
'practices.'],
'incident': 'Sendit App'},
{'actions': ['Implement '
'effective age '
'verification',
'Obtain '
'parental '
'consent for '
'children’s '
'data '
'collection',
'Stop selling '
'sensitive '
'children’s '
'data.'],
'incident': 'Roku'},
{'actions': ['Obtain HIPAA '
'authorizations '
'for patient '
'data use',
'Train '
'marketing '
'staff on '
'privacy rules',
'Issue breach '
'notifications.'],
'incident': 'Cadia '
'Healthcare'}],
'root_causes': [{'causes': 'Insecure ‘pre-fill’ '
'tool design, lack of '
'access controls.',
'incident': 'Auto Insurers '
'Breach'},
{'causes': 'Successful phishing '
'attack, inadequate '
'email security.',
'incident': 'Wojeski & Company '
'(2023)'},
{'causes': 'Improper data access '
'by third-party '
'investigator, lack of '
'oversight.',
'incident': 'Wojeski & Company '
'(2024)'},
{'causes': 'Failure to comply with '
'COPPA (no parental '
'consent, deceptive '
'practices).',
'incident': 'Sendit App'},
{'causes': 'Willful disregard for '
'children’s privacy, '
'inadequate consent '
'mechanisms.',
'incident': 'Roku'},
{'causes': 'Lack of HIPAA '
'authorizations for '
'patient data in '
'marketing.',
'incident': 'Cadia Healthcare'}]},
'ransomware': {'data_encryption': [{'incident': 'Wojeski & Company (2023 '
'Incident)',
'status': 'Ransomware attack via phishing '
'email.'}]},
'recommendations': ['Implement age verification interfaces compliant with '
'state laws (e.g., California Digital Age Assurance Act).',
'Conduct data protection assessments for high-risk '
'processing (Massachusetts MDPA).',
'Adopt NYDFS’s third-party risk management best practices '
'(due diligence, contracts, monitoring).',
'Ensure compliance with children’s privacy laws (COPPA, '
'FDBOR) to avoid FTC/state AG actions.',
'Secure pre-filled forms and limit data exposure in '
'online tools (Auto Insurers breach).',
'Obtain explicit HIPAA authorizations before using '
'patient data in marketing (Cadia Healthcare).',
'Design social media platforms to mitigate addictive '
'features and protect minors (NYC lawsuit).',
'Monitor international privacy developments (e.g., New '
'Zealand’s Privacy Amendment Act, EU GDPR-DMA '
'guidelines).',
'Prepare for federal cybersecurity program '
'reauthorization (CISA, State and Local Cybersecurity '
'Grant Program).'],
'references': [{'source': 'California Digital Age Assurance Act (2027)'},
{'source': 'Massachusetts Data Privacy Act (Senate Passage)'},
{'source': 'Pennsylvania Consumer Data Privacy Act (House Bill '
'78)'},
{'source': 'NYDFS Guidance on Third-Party Service Provider '
'Risk',
'url': 'https://www.dfs.ny.gov/'},
{'source': 'Consortium of Privacy Regulators Expansion '
'(Minnesota, New Hampshire)'},
{'source': 'FTC Shutdown Announcement (October 1, 2025)',
'url': 'https://www.ftc.gov/'},
{'source': 'Joint Commission & CHAI AI Guidance for '
'Healthcare'},
{'source': 'GUARD Act (Bipartisan Bill on AI Chatbots for '
'Minors)'},
{'source': 'Salazar v. NBA (VPPA Dismissal, SDNY)'},
{'source': 'National Retail Federation v. New York '
'(Algorithmic Pricing Law Dismissal, SDNY)'},
{'source': 'New Jersey Supreme Court Review of Daniel’s Law'},
{'source': 'FTC Complaint Against Iconic Hearts (Sendit App)',
'url': 'https://www.ftc.gov/'},
{'source': 'Florida AG Lawsuit Against Roku'},
{'source': 'NYC Lawsuit Against Social Media Platforms'},
{'source': 'OCR Settlement with Cadia Healthcare',
'url': 'https://www.hhs.gov/hipaa/index.html'},
{'source': 'New York AG Settlements with Auto Insurers'},
{'source': 'New York AG Settlement with Wojeski & Company'},
{'source': 'New Zealand Privacy Amendment Act 2025'},
{'source': 'EDPB-EC Joint Guidelines on GDPR-DMA Interplay',
'url': 'https://edpb.europa.eu/'},
{'source': 'European Commission AI Strategies (Apply AI, AI in '
'Science)',
'url': 'https://digital-strategy.ec.europa.eu/'}],
'regulatory_compliance': {'fines_imposed': ['$14.2M (Auto Insurers)',
'$60,000 (Wojeski & Co.)',
'$182,000 (Cadia Healthcare).'],
'legal_actions': ['FTC complaint against Iconic '
'Hearts (Sendit)',
'Florida AG lawsuit against Roku',
'NYC lawsuit against Meta, Snap, '
'TikTok, Google',
'New York AG settlements with '
'auto insurers and Wojeski & Co.',
'OCR settlement with Cadia '
'Healthcare.'],
'regulations_violated': ['California Digital Age '
'Assurance Act (2027)',
'Massachusetts Data '
'Privacy Act (Proposed)',
'Pennsylvania Consumer '
'Data Privacy Act '
'(Proposed)',
'COPPA (Sendit App)',
'Florida Digital Bill of '
'Rights (Roku)',
'Florida Deceptive and '
'Unfair Trade Practices '
'Act (Roku)',
'HIPAA Privacy and Breach '
'Notification Rules (Cadia '
'Healthcare)',
'New York Unfair Trade '
'Practices Law (Auto '
'Insurers, Wojeski & '
'Co.).'],
'regulatory_notifications': ['California Attorney '
'General (Digital Age '
'Assurance Act)',
'Massachusetts '
'Attorney General '
'(MDPA, if passed)',
'Pennsylvania Attorney '
'General (Consumer '
'Data Privacy Act, if '
'passed)',
'NYDFS (Third-Party '
'Service Provider '
'Guidance)',
'New Zealand Privacy '
'Commissioner (Privacy '
'Amendment Act '
'2025).']},
'response': {'law_enforcement_notified': [{'incident': 'Auto Insurers Breach',
'status': 'Investigated by New '
'York Attorney General.'},
{'incident': 'Wojeski & Company '
'Breaches',
'status': 'Investigated by New '
'York Attorney '
'General.'}],
'remediation_measures': [{'incident': 'Auto Insurers Settlement',
'measures': ['$14.2M penalties',
'Comprehensive '
'information security '
'program',
'Data inventory',
'Authentication '
'procedures',
'Logging/monitoring '
'system',
'Threat response '
'procedures.']},
{'incident': 'Wojeski & Company '
'Settlement',
'measures': ['$60,000 penalties',
'Encryption of personal '
'information',
'Cybersecurity training '
'for employees',
'Comprehensive '
'information security '
'program',
'Data inventory',
'Incident response '
'procedures.']},
{'incident': 'Cadia Healthcare '
'Settlement',
'measures': ['$182,000 fine',
'2-year corrective action '
'plan',
'Revised HIPAA '
'policies/procedures',
'Workforce training '
'(including marketing '
'staff)',
'Breach notifications to '
'affected individuals.']},
{'incident': 'NYDFS Third-Party Risk '
'Guidance',
'measures': ['Proactive due diligence '
'for TPSPs',
'Contract provisions '
'(access controls, '
'encryption, breach '
'notification)',
'Ongoing monitoring '
'(audits, penetration '
'tests)',
'Secure offboarding (data '
'return/destruction).']}]},
'type': ['Regulatory Compliance',
'Data Privacy Law',
'Cybersecurity Policy Lapse',
'Enforcement Action',
'Litigation',
'International Regulation'],
'vulnerability_exploited': [{'incident': 'Auto Insurers Data Breach',
'vulnerability': 'Exploitable ‘pre-fill’ '
'function in online quote tool, '
'exposing driver’s license '
'numbers and household data.'},
{'incident': 'Wojeski & Company Breaches',
'vulnerability': 'Phishing email (2023 '
'ransomware attack) and '
'improper access by an '
'investigator (2024 breach).'}]}