Wojeski & Co., a public accounting firm, experienced two major cybersecurity incidents due to inadequate data protection measures. In July 2023, the firm fell victim to a ransomware attack, followed by another data breach in May 2024, collectively exposing the sensitive personal information including Social Security numbers of over 4,700 New York residents. The breaches were compounded by the firm’s delayed response, taking over a year to notify affected victims, violating regulatory expectations. The New York Attorney General’s Office intervened, leading to a settlement requiring Wojeski & Co. to implement stronger security protocols. The exposed data included highly sensitive financial and personally identifiable information (PII), posing significant risks of identity theft, fraud, and reputational harm to both the firm and its clients. The incidents highlight critical failures in cybersecurity governance, incident response, and compliance with data protection laws.
TPRM report: https://www.rankiteo.com/company/wojeski
"id": "woj2203022102125",
"linkid": "wojeski",
"type": "Ransomware",
"date": "7/2023",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization’s existence"{'affected_entities': [{'customers_affected': '4,700+ (New Yorkers)',
'industry': 'Financial Services / Accounting',
'location': 'New York, USA',
'name': 'Wojeski & Co.',
'type': 'Public Accounting Firm'}],
'customer_advisories': 'Delayed notification to victims',
'data_breach': {'number_of_records_exposed': '4,700+',
'personally_identifiable_information': True,
'sensitivity_of_data': 'High',
'type_of_data_compromised': ['Personally Identifiable '
'Information (PII)',
'Social Security numbers']},
'date_publicly_disclosed': '2024-09-16',
'description': 'Wojeski & Co., a public accounting firm, experienced two '
'cybersecurity incidents due to weak data protections: a '
'ransomware attack in July 2023 and a data breach in May 2024. '
'These incidents exposed sensitive personal information '
'(including Social Security numbers) of over 4,700 New '
'Yorkers. The firm delayed notifying victims for over a year '
'and reached a settlement with the New York Attorney General’s '
'Office to improve security measures.',
'impact': {'brand_reputation_impact': 'Negative (settlement with NY AG, '
'delayed notification)',
'data_compromised': ['Social Security numbers',
'Personal information'],
'identity_theft_risk': 'High (SSNs exposed)',
'legal_liabilities': 'Settlement with New York Attorney General’s '
'Office'},
'investigation_status': 'Completed (settlement reached)',
'post_incident_analysis': {'corrective_actions': 'Settlement agreement to '
'improve security measures',
'root_causes': 'Weak data protections'},
'references': [{'date_accessed': '2024-09-16',
'source': 'New York Attorney General’s Office Announcement'}],
'regulatory_compliance': {'legal_actions': 'Settlement with New York Attorney '
'General’s Office',
'regulatory_notifications': 'New York Attorney '
'General’s Office'},
'response': {'communication_strategy': 'Delayed victim notification (over a '
'year)'},
'title': 'Wojeski & Co. Data Breaches and Ransomware Attack (2023-2024)',
'type': ['Data Breach', 'Ransomware Attack'],
'vulnerability_exploited': 'Weak data protections'}