Sheheen, Hancock & Godwin

The accounting firm **Sheheen, Hancock & Godwin** suffered a **ransomware attack** in **April 2025**, attributed to the **Lynx ransomware group** (a spin-off of the Inc ransomware operation). The breach compromised **personal and sensitive data** of **over 34,000 individuals**, primarily in **South Carolina**, with additional victims across **Texas, Massachusetts, Maine, and New Hampshire**. The exposed data included: - **Names, Social Security numbers, government-issued IDs (driver’s licenses, passports)** - **Taxpayer IDs, financial account details, dates of birth** - **Medical and health insurance information** Lynx claimed to have stolen **10 GB of data** and demanded an **undisclosed ransom**, threatening to publish the data if unpaid by **April 25, 2025**. The firm did not confirm whether the ransom was paid or if free credit monitoring was offered to victims. The attack highlights severe risks of **identity theft, financial fraud, and long-term reputational damage** for affected individuals and the firm. The incident aligns with a broader trend of **ransomware targeting US financial institutions**, with **26 confirmed attacks in 2025** compromising over **204,000 records** nationwide.

Source: https://www.comparitech.com/news/south-carolina-accounting-firm-notifies-34000-people-of-data-breach/

TPRM report: https://www.rankiteo.com/company/sheheen-hancock-&-godwin-llp

"id": "she0192801100225",
"linkid": "sheheen-hancock-&-godwin-llp",
"type": "Ransomware",
"date": "4/2025",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"

{'affected_entities': [{'customers_affected': 34199,
                        'industry': 'Financial Services / Accounting',
                        'location': 'Camden, South Carolina, USA',
                        'name': 'Sheheen, Hancock & Godwin',
                        'type': 'Accounting Firm'}],
 'customer_advisories': 'Breach notification letters sent to 34,199 affected '
                        'individuals across five U.S. states',
 'data_breach': {'data_exfiltration': 'Confirmed (10 GB of data stolen, per '
                                      'Lynx)',
                 'number_of_records_exposed': 34199,
                 'personally_identifiable_information': True,
                 'sensitivity_of_data': 'High',
                 'type_of_data_compromised': ['Personally Identifiable '
                                              'Information (PII)',
                                              'Financial Data',
                                              'Medical/Health Data',
                                              'Government-Issued IDs']},
 'date_detected': '2025-04-08',
 'description': 'Accounting firm Sheheen, Hancock & Godwin confirmed a data '
                'breach in April 2025 that compromised personal information of '
                'over 34,000 individuals. The ransomware group Lynx claimed '
                'responsibility, stealing 10 GB of data and threatening to '
                'publish it unless an undisclosed ransom was paid by April 25, '
                '2025. The breach exposed highly sensitive data, including '
                'Social Security numbers, financial account information, and '
                'medical records. The firm has not confirmed whether a ransom '
                'was paid or how the breach occurred.',
 'impact': {'brand_reputation_impact': 'High (sensitive data of 34,000+ '
                                       'individuals exposed)',
            'data_compromised': ['Names',
                                 'Social Security numbers',
                                 'Government-issued ID numbers (e.g., driver’s '
                                 'license, passport)',
                                 'Taxpayer ID numbers',
                                 'Financial account info',
                                 'Dates of birth',
                                 'Medical info',
                                 'Health insurance info'],
            'identity_theft_risk': 'High (SSNs, financial, and medical data '
                                   'exposed)',
            'payment_information_risk': 'High (financial account info '
                                        'compromised)'},
 'investigation_status': 'Ongoing (firm has not disclosed breach details or '
                         'ransom payment status)',
 'motivation': 'Financial (ransom demand)',
 'ransomware': {'data_exfiltration': True,
                'ransom_demanded': 'Undisclosed (threatened publication if '
                                   'unpaid by 2025-04-25)',
                'ransomware_strain': 'Lynx'},
 'references': [{'source': 'Comparitech'},
                {'source': 'Sheheen, Hancock & Godwin Breach Notice (PDF)'}],
 'regulatory_compliance': {'regulatory_notifications': 'Notified attorneys '
                                                       'general in South '
                                                       'Carolina, Texas, '
                                                       'Massachusetts, Maine, '
                                                       'and New Hampshire'},
 'response': {'communication_strategy': 'Public breach notification (PDF) '
                                        'issued; no free credit monitoring or '
                                        'identity theft protection offered'},
 'threat_actor': "Lynx (Ransomware-as-a-Service group, spin-off of 'Inc')",
 'title': 'Sheheen, Hancock & Godwin Data Breach (April 2025)',
 'type': ['Data Breach', 'Ransomware Attack']}