On May 19, 2025, the certified public accounting firm Sheheen, Hancock & Godwin LLP discovered a data breach after an unauthorized actor accessed and exfiltrated sensitive files between April 8–25, 2025. The LYNX ransomware group claimed responsibility, asserting they stole 10 GB of data, including names, Social Security numbers, government IDs (passports, TINs), financial accounts, dates of birth, medical records, and health insurance details. The breach impacted at least 35,714 individuals across multiple U.S. states (South Carolina, Maine, Massachusetts, Texas, Montana, New Hampshire). While the full scope remains undisclosed, the exposed data poses severe risks of identity theft, financial fraud, and medical fraud. The firm notified affected individuals via mail (September 25, 2025), offered 12 months of free credit monitoring (TransUnion Cyberscout), and established a dedicated helpline. Regulatory disclosures were made to seven state Attorneys General, indicating potential legal and compliance repercussions. The attack’s highly sensitive nature—involving taxpayer, financial, and medical data—heightens the threat of long-term reputational damage, litigation, and operational disruption for the firm.
Source: https://www.claimdepot.com/data-breach/sheheen-hancock-godwin-2025
Sheheen, Hancock & Godwin, LLP cybersecurity rating report: https://www.rankiteo.com/company/sheheen-hancock-&-godwin-llp
"id": "she0251202110825",
"linkid": "sheheen-hancock-&-godwin-llp",
"type": "Ransomware",
"date": "4/2025",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'customers_affected': '35,059 (South Carolina), 49 '
'(Maine), 56 (Massachusetts), '
'416 (Texas), 15 (Montana), 19 '
'(New Hampshire)',
'industry': 'Accounting/Financial Services',
'location': 'South Carolina, USA',
'name': 'Sheheen, Hancock & Godwin LLP',
'type': 'Certified Public Accounting Firm'}],
'customer_advisories': 'Dedicated assistance line (1-833-844-8187); '
'recommendations for credit monitoring and fraud '
'prevention',
'data_breach': {'data_exfiltration': 'Yes (10 GB of data copied/downloaded)',
'number_of_records_exposed': 'At least 35,604 (sum of '
'disclosed state totals)',
'personally_identifiable_information': 'Yes (names, SSNs, '
'DOBs, passport '
'numbers, TINs, etc.)',
'sensitivity_of_data': 'High (includes SSNs, financial '
'accounts, medical/health data)',
'type_of_data_compromised': ['Personally Identifiable '
'Information (PII)',
'Financial Data',
'Health Information',
'Government Identification']},
'date_detected': '2025-05-19',
'date_publicly_disclosed': '2025-09-25',
'description': 'On May 19, 2025, Sheheen, Hancock & Godwin LLP, a certified '
'public accounting firm based in South Carolina, discovered a '
'data breach. An investigation determined that an unauthorized '
'actor gained access and copied or downloaded certain files '
'and folders on April 8, 2025. The ransomware group LYNX '
'claimed responsibility, stating they had obtained 10 GB of '
'company data, including highly sensitive personal and '
'financial information. The firm began notifying impacted '
'individuals on Sept. 25, 2025, and offered 12 months of free '
'credit monitoring and identity protection services.',
'impact': {'brand_reputation_impact': 'Potential reputational damage due to '
'exposure of sensitive client data',
'data_compromised': ['Name',
'Social Security Number',
'Government Identification Number',
'Passport Number',
'Taxpayer Identification Number',
'Financial Account Information',
'Date of Birth',
'Medical Information',
'Health Insurance Information'],
'identity_theft_risk': 'High (due to exposure of SSNs, financial '
'data, and PII)',
'legal_liabilities': 'Disclosures to multiple state Attorneys '
'General; potential regulatory scrutiny',
'payment_information_risk': 'High (financial account information '
'exposed)'},
'initial_access_broker': {'data_sold_on_dark_web': 'Yes (claimed by LYNX on '
'dark web posting)'},
'investigation_status': 'Completed (as of Sept. 3, 2025 review)',
'motivation': 'Data Theft, Ransom',
'ransomware': {'data_exfiltration': 'Yes (10 GB)',
'ransomware_strain': 'LYNX'},
'recommendations': ['Sign up for free credit monitoring/identity protection '
'services',
'Monitor credit reports and financial accounts for '
'unusual activity',
'Be alert for phishing attempts using exposed information',
'Consider placing fraud alerts or credit freezes with '
'major credit bureaus'],
'references': [{'source': 'Sheheen, Hancock & Godwin LLP Notice of Data '
'Incident'},
{'date_accessed': '2025-04-25',
'source': 'Dark Web Posting by LYNX Ransomware Group'}],
'regulatory_compliance': {'regulatory_notifications': 'Notified Attorneys '
'General of Maine, '
'Massachusetts, Texas, '
'Vermont, Montana, '
'South Carolina, and '
'New Hampshire (Sept. '
'25, 2025)'},
'response': {'communication_strategy': 'Public notice on website (Sept. 25, '
'2025); mail notifications to impacted '
'individuals; disclosures to state '
'Attorneys General',
'incident_response_plan_activated': 'Yes (investigation '
'initiated post-discovery)',
'recovery_measures': 'Established dedicated assistance line '
'(1-833-844-8187) for affected individuals',
'remediation_measures': 'Offered 12 months of TransUnion '
'Cyberscout credit monitoring and '
'identity protection services'},
'stakeholder_advisories': 'Public notice and mail notifications to affected '
'individuals; disclosures to state authorities',
'threat_actor': 'LYNX (Ransomware Group)',
'title': 'Data Breach at Sheheen, Hancock & Godwin LLP',
'type': ['Data Breach', 'Ransomware Attack']}