New York Attorney General Letitia James announced on Monday a settlement with certified public accounting firm Wojeski & Company to strengthen its data security practices and better protect consumer information.
The settlement follows two cybersecurity incidents at Wojeski that exposed the personal data of more than 4,700 New Yorkers. An investigation by the Attorney General’s Office found that the firm failed to implement adequate security measures and took over a year to notify clients of the breaches, despite legal requirements to do so promptly.
Under the agreement, Wojeski will pay $60,000 in penalties and is required to adopt stricter cybersecurity measures. Affected individuals were offered one year of free credit monitoring.
“Ransomware attacks like the ones at Wojeski put consumers at risk,” said Attorney General James. “As an accounting firm, Wojeski should have done more to protect New Yorkers’ personal data. Companies must safeguard their customers’ information, and my office will hold them accountable when they fail to do so.”
Details of the Breaches
- On July 28, 2023, Wojeski experienced a ransomware attack that prevented access to certain files. The attack was likely triggered by a phishing email sent to an employee. During the breach, sensitive client data, including social security numbers, were unencrypted in parts of the firm’s network.
- On May 31, 2024, a second breach occurred when an employee of a third-party firm improperly accessed client data sent for investigation. Some of this information was sent to external email addresses without authorization.
- Wojeski did not notify clients of either breach until November 2024, approximately a year and a half after the first incident. Exposed personal information included names, dates of birth, social security numbers, driver’s license numbers, email addresses, phone numbers, financial account numbers, and medical benefits.
The 2023 breach affected 5,881 individuals, including 4,726 New York residents. The 2024 breach affected 351 individuals, including 267 New York residents.
Required Security Measures
As part of the settlement, Wojeski must implement a series of measures to protect customer data, including:
- Maintaining a comprehensive information security program;
- Encrypting personal information throughout its systems;
- Developing and maintaining an inventory of stored personal data;
- Limiting employee access to sensitive information through secure account management;
- Identifying and correcting network security vulnerabilities;
- Establishing an incident response plan to ensure timely notification to consumers; and
- Implementing cybersecurity training for all employees.
The Attorney General’s Office emphasized that the settlement is part of ongoing efforts to protect New Yorkers from identity theft and fraud resulting from weak data security practices.
Have all the Finger Lakes news from Finger Lakes News Radio delivered to your email every morning for FREE! Sign up by clicking here
