On October 20, the New York State attorney general, in a press release, announced a settlement with a certified public accounting firm after discovering the firm experienced two data breaches that compromised its clients’ personal information. The first incident occurred in July 2023 when employees discovered a ransomware attack that locked them out of certain files, and the second breach was identified in May 2024 after an outside investigator improperly accessed customer data. As part of the settlement, the firm agreed to pay $60,000 in penalties and update its cybersecurity practices, including maintaining a robust information security program, encrypting all collected or stored personal information, limiting employee access to certain data, creating an incident response plan, and requiring all employees to complete cybersecurity training.
The state’s Office of the Attorney General found that the firm failed to notify affected individuals until November 2024, more than a year after the initial breach, despite requirements for prompt notification. Exposed information included names, dates of birth, Social Security numbers, driver’s license numbers, email addresses, phone numbers, financial account numbers, and medical benefits information.
[View source.]