The Vermont Office of the Attorney General disclosed on December 9, 2024, that Shelton & Company, CPAs, P.C. suffered a data breach on or around August 15, 2024. The incident involved the unauthorized access to an employee’s email account, potentially exposing sensitive personal information. While the exact details remain undisclosed, the compromised data may include individuals' names and other unspecified personal details. The breach’s scope, including the number of affected individuals, has not been confirmed. The attack appears to stem from a phishing or credential-compromise scenario, targeting employee communications—a common vector for data exfiltration. Given the nature of the firm (a CPA company), the exposed data could include client financial records, tax-related information, or employee details, though the report does not specify the extent of the leak. The lack of clarity on whether financial fraud, identity theft, or broader operational disruptions occurred leaves the long-term impact uncertain. However, the breach underscores vulnerabilities in email security protocols and the risks associated with third-party access to sensitive accounting data. No ransomware demands or systemic outages were reported, suggesting the attack was contained to data exposure rather than a full-scale operational disruption. The firm has not publicly detailed remediation steps, such as notifications to affected parties or enhanced cybersecurity measures.
Source: https://ago.vermont.gov/document/2024-12-09-shelton-company-cpas-data-breach-notice-consumers
TPRM report: https://www.rankiteo.com/company/shelton-&-company-cpas-p.c.
"id": "she735082025",
"linkid": "shelton-&-company-cpas-p.c.",
"type": "Breach",
"date": "8/2024",
"severity": "60",
"impact": "3",
"explanation": "Attack with significant impact with internal employee data leaks"{'affected_entities': [{'customers_affected': 'unknown',
'industry': 'Professional Services (Accounting)',
'location': 'Vermont, USA',
'name': 'Shelton & Company, CPAs, P.C.',
'type': 'Accounting Firm'}],
'data_breach': {'number_of_records_exposed': 'unknown',
'personally_identifiable_information': True,
'sensitivity_of_data': 'moderate (personal information)',
'type_of_data_compromised': ['names',
'possibly other personal '
'details']},
'date_detected': '2024-08-15',
'date_publicly_disclosed': '2024-12-09',
'description': 'The Vermont Office of the Attorney General reported that '
'Shelton & Company, CPAs, P.C. experienced a data breach on or '
'around August 15, 2024, involving the unauthorized access of '
"an employee's email account. The personal information "
'potentially affected includes names and possibly other '
'details, but the specific number of individuals affected is '
'unknown.',
'impact': {'data_compromised': ['names', 'possibly other personal details'],
'identity_theft_risk': 'potential (due to exposed personal '
'information)',
'systems_affected': ['employee email account']},
'references': [{'date_accessed': '2024-12-09',
'source': 'Vermont Office of the Attorney General'}],
'regulatory_compliance': {'regulatory_notifications': ['Vermont Office of the '
'Attorney General']},
'response': {'communication_strategy': 'Public disclosure via Vermont Office '
'of the Attorney General'},
'title': 'Shelton & Company, CPAs, P.C. Email Account Data Breach',
'type': 'Data Breach (Unauthorized Email Access)'}