Ives Sultan & Spike CPAs

On May 11, 2020, Ives Sultan & Spike CPAs (ISS) suffered a data breach due to unauthorized access to an employee’s email account. The incident, reported to the Maine Office of the Attorney General on September 16, 2021, exposed sensitive personal information of 5,792 individuals, including driver’s license numbers and Social Security numbers. The breach stemmed from a compromised email account, likely through phishing or credential theft, allowing attackers to access confidential data. While the exact duration of unauthorized access remains undisclosed, the exposure of such highly sensitive information poses significant risks, including identity theft, financial fraud, and long-term reputational damage for the affected individuals. The firm’s delayed public disclosure over a year after the breach further exacerbates concerns about transparency and incident response protocols. The compromised data primarily belonged to clients or employees, highlighting vulnerabilities in the company’s email security and data protection measures.

Source: https://www.maine.gov/agviewer/content/ag/985235c7-cb95-4be2-8792-a1252b4f8318/8ef6237d-49e7-41ad-8c0a-cbba0b861bd4.shtml

TPRM report: https://www.rankiteo.com/company/ives-sultan-&-spike-cpas-llp

"id": "ive1018090725",
"linkid": "ives-sultan-&-spike-cpas-llp",
"type": "Breach",
"date": "5/2020",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"

{'affected_entities': [{'customers_affected': 5792,
                        'industry': 'Financial Services / Accounting',
                        'name': 'Ives Sultan & Spike CPAs (ISS)',
                        'type': 'Accounting Firm'}],
 'attack_vector': 'Unauthorized Access (Email Account Compromise)',
 'data_breach': {'data_exfiltration': 'Potential (unauthorized access to email '
                                      'account)',
                 'number_of_records_exposed': 5792,
                 'personally_identifiable_information': ["Driver's License "
                                                         'Numbers',
                                                         'Social Security '
                                                         'Numbers'],
                 'sensitivity_of_data': 'High',
                 'type_of_data_compromised': ['Personally Identifiable '
                                              'Information (PII)']},
 'date_detected': '2020-05-11',
 'date_publicly_disclosed': '2021-09-16',
 'description': 'On September 16, 2021, the Maine Office of the Attorney '
                'General reported that Ives Sultan & Spike CPAs (ISS) '
                'experienced a data breach on May 11, 2020. The breach '
                "involved unauthorized access to an employee's email account, "
                "potentially exposing personal information such as driver's "
                'license numbers and social security numbers of 5,792 '
                'individuals.',
 'impact': {'data_compromised': ["Driver's License Numbers",
                                 'Social Security Numbers'],
            'identity_theft_risk': 'High (PII exposed)',
            'systems_affected': ['Employee Email Account']},
 'initial_access_broker': {'entry_point': 'Employee Email Account'},
 'references': [{'date_accessed': '2021-09-16',
                 'source': 'Maine Office of the Attorney General'}],
 'regulatory_compliance': {'regulatory_notifications': ['Maine Office of the '
                                                        'Attorney General']},
 'response': {'communication_strategy': 'Public disclosure via Maine Office of '
                                        'the Attorney General'},
 'title': 'Ives Sultan & Spike CPAs (ISS) Data Breach (2020)',
 'type': 'Data Breach'}