Accounting Firm to Pay NY $60K After Waiting Over a Year to Reveal Data Breach
An Albany-based accounting firm will pay $60,000 to settle with New York state in a data breach case, the attorney general's office said Monday. The AG's office said that the firm, Wojeski & Co., failed to adequately protect client data and notify customers of breaches, which exposed more than 6,000 individuals' personal information during two cybersecurity incidents. The firm waited more than one year before it notified victims of the first data breach, the state office said.
Sign up for a free preview to unlock the rest of this article
Privacy Daily provides accurate coverage of newsworthy developments in data protection legislation, regulation, litigation, and enforcement for privacy professionals responsible for ensuring effective organizational data privacy compliance.
The enforcement action comes about a week after the New York AG's office announced data breach settlements totaling $14.2 million with eight car insurance companies (see 2510140034). The state still lacks a comprehensive privacy law, though officials from the AG's office urged legislators to pass one at a hearing last week (see 2510170032).
Employees at Wojeski determined they were experiencing a cyberattack when they couldn't access certain system files on July 28, 2023, said the AG’s office. The firm contained the threat and launched an investigation, which discovered that a phishing email caused the ransomware attack.
A second breach was found May 31, 2024, when a firm hired to help investigate the first cyberattack improperly accessed customer data. In addition, employees of that third party sent information to external email addresses without authorization. Wojeski didn't inform customers of either incident until November 2024.
The 2023 breach leaked the information of 5,881 individuals, and the 2024 breach impacted 351 people, the AG office said. The personal data exposed in the incidents included social security numbers, drivers’ license numbers, medical benefits and financial account numbers. Wojeski didn't comment.
“Ransomware attacks like the ones at Wojeski put consumers at risk,” said AG Letitia James (D). “As an accounting firm, Wojeski should have taken stronger measures to protect New Yorkers’ personal data and prevent data breaches that could lead to identity theft and other types of fraud.”
In addition to the monetary penalty, the firm must encrypt the personal information it collects, transmits or maintains; establish an authentication process for account management; limit employee access to sensitive information; and implement an incident response plan with timely consumer notice, among other things.
“This breach is a serious reminder that protecting personal information isn’t optional,” said Albany County Executive Daniel McCoy. “When businesses handle sensitive data, they owe it to their clients and our community to safeguard that information.
New York Sen. Patricia Fahy (D) said that “the protection of every New Yorker’s personal data and privacy must always be a top priority.”
“When a firm fails to act quickly after a data breach, it's not just a lapse in cybersecurity, it's a lapse in trust,” added Assemblymember Gabriella Romero (D). “Albany businesses must take this as a reminder that transparency, strong data protections, and swift actions are essential to maintaining public confidence.”