![[Redacted Certified Public Accounting Firm]](https://imagesblog.blob.core.windows.net/blog/ransomware7.jpg)
The firm experienced two major data breaches within a year, severely compromising clients’ sensitive personal information. The first incident in July 2023 involved a ransomware attack that encrypted critical files, while the second in May 2024 stemmed from an external investigator improperly accessing customer data. Exposed data included names, Social Security numbers, dates of birth, driver’s license numbers, financial account details, email addresses, phone numbers, and medical benefits information highly sensitive records with severe fraud and identity theft risks.The firm failed to notify affected individuals for over a year, violating legal notification deadlines, and only disclosed the breaches in November 2024 after regulatory intervention. The New York State Attorney General imposed a $60,000 penalty and mandated sweeping cybersecurity reforms, including encryption, access controls, incident response plans, and mandatory employee training. The prolonged exposure period amplified risks, leaving clients vulnerable to financial fraud, identity theft, and reputational harm. The breaches underscored systemic security failures, particularly in third-party access oversight and ransomware defense.
Source: https://www.jdsupra.com/legalnews/new-york-state-attorney-general-6985653/
TPRM report: https://www.rankiteo.com/company/cupit-milligan-ogden-&-williams-cpas
"id": "cup4593945102725",
"linkid": "cupit-milligan-ogden-&-williams-cpas",
"type": "Ransomware",
"date": "7/2023",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization’s existence"{'affected_entities': [{'industry': 'Accounting/Financial Services',
'location': 'New York, USA',
'type': 'Certified Public Accounting (CPA) Firm'}],
'attack_vector': ['Ransomware (first incident)',
'Improper access by outside investigator (second incident)'],
'customer_advisories': 'Delayed notification issued in November 2024',
'data_breach': {'data_encryption': 'No (data was unencrypted at time of '
'breaches; firm agreed to encrypt as part '
'of settlement)',
'personally_identifiable_information': ['Names',
'Dates of birth',
'Social Security '
'numbers',
'Driver’s license '
'numbers',
'Email addresses',
'Phone numbers'],
'sensitivity_of_data': 'High (includes SSNs, financial, and '
'medical data)',
'type_of_data_compromised': ['Personally Identifiable '
'Information (PII)',
'Financial Data',
'Medical Benefits Information']},
'date_detected': ['2023-07', '2024-05'],
'date_publicly_disclosed': '2024-10-20',
'description': 'The firm experienced two data breaches: a ransomware attack '
'in July 2023 that locked employees out of certain files, and '
'an improper data access incident in May 2024 by an outside '
'investigator. The breaches compromised clients’ personal '
'information, including names, dates of birth, Social Security '
'numbers, driver’s license numbers, email addresses, phone '
'numbers, financial account numbers, and medical benefits '
'information. The firm settled with the New York State '
'Attorney General, agreeing to pay $60,000 in penalties and '
'update its cybersecurity practices, including encryption, '
'access controls, incident response planning, and employee '
'training. Notification to affected individuals was delayed '
'until November 2024, over a year after the initial breach.',
'impact': {'brand_reputation_impact': 'Likely negative due to delayed '
'notification and sensitive data '
'exposure',
'data_compromised': ['Names',
'Dates of birth',
'Social Security numbers',
'Driver’s license numbers',
'Email addresses',
'Phone numbers',
'Financial account numbers',
'Medical benefits information'],
'financial_loss': '$60,000 (settlement penalties)',
'identity_theft_risk': 'High (due to exposure of SSNs, financial, '
'and medical data)',
'legal_liabilities': '$60,000 settlement with New York State '
'Attorney General; potential further '
'liabilities',
'operational_impact': 'Files locked during ransomware attack; '
'potential disruption from improper data '
'access',
'payment_information_risk': 'High (financial account numbers '
'exposed)'},
'initial_access_broker': {'high_value_targets': ['Client personal information',
'Financial data']},
'investigation_status': 'Resolved (settlement reached)',
'lessons_learned': ['Prompt notification of affected individuals is critical '
'to compliance and trust.',
'Encryption and access controls are essential for '
'protecting sensitive data.',
'Incident response plans must be proactive, not '
'reactive.'],
'motivation': ['Potentially financial or opportunistic (ransomware); '
'unintentional or negligent (improper access)'],
'post_incident_analysis': {'corrective_actions': ['Implement encryption for '
'all personal data',
'Limit employee and '
'third-party access to '
'sensitive data',
'Develop and maintain an '
'incident response plan',
'Enforce cybersecurity '
'training for all employees',
'Comply with prompt breach '
'notification requirements'],
'root_causes': ['Lack of encryption for stored '
'personal data',
'Inadequate access controls for '
'employees and third parties',
'Absence of an incident response '
'plan',
'Delayed breach notification '
'process']},
'ransomware': {'data_encryption': 'Yes (files locked during first incident)'},
'recommendations': ['Implement encryption for all stored personal data.',
'Enforce least-privilege access controls for employees '
'and third parties.',
'Develop and test an incident response plan regularly.',
'Ensure timely breach notifications to comply with '
'regulations.',
'Conduct periodic cybersecurity training for all '
'employees.'],
'references': [{'date_accessed': '2024-10-20',
'source': 'New York State Attorney General Press Release'}],
'regulatory_compliance': {'fines_imposed': '$60,000',
'legal_actions': 'Settlement agreement with New '
'York State Attorney General',
'regulations_violated': ['New York State data '
'breach notification laws '
'(delayed notification)'],
'regulatory_notifications': 'Delayed (notified '
'affected individuals '
'in November 2024)'},
'response': {'communication_strategy': 'Delayed notification to affected '
'individuals (November 2024, over a '
'year post-breach)',
'incident_response_plan_activated': 'No (prior to settlement; '
'firm agreed to create one '
'as part of remediation)',
'remediation_measures': ['Maintain robust information security '
'program',
'Encrypt all collected or stored '
'personal information',
'Limit employee access to certain data',
'Create an incident response plan',
'Require all employees to complete '
'cybersecurity training']},
'threat_actor': ['Unknown (ransomware attack)',
'Outside investigator (improper access)'],
'title': 'Data Breaches at Certified Public Accounting Firm Resulting in '
'Settlement with New York State Attorney General',
'type': ['Ransomware Attack', 'Unauthorized Data Access']}