Full Report
NEW YORK – New York Attorney General Letitia James today announced a settlement with a public accounting firm, Wojeski & Company (Wojeski), to strengthen its data security to protect consumers’ data. Wojeski did not take proper measures to secure their clients’ personal information and suffered two cybersecurity incidents that exposed the private information of more than 4,700 New Yorkers. An investigation by the Office of the Attorney General (OAG) found that Wojeski took over a year to notify victims of the data breach, despite being required to notify victims soon after a breach. As a result of today’s agreement, Wojeski must pay $60,000 in penalties and take steps to improve its cybersecurity measures. Individuals who were affected by the data breaches were offered one year of free credit report monitoring.
Analysis Summary
# Incident Report: Wojeski & Company Dual Ransomware & Data Exposure Incidents
## Executive Summary
Wojeski & Company, a public accounting firm, suffered two distinct cybersecurity incidents resulting in the exposure of private data belonging to over 4,700 New Yorkers. The initial incident was likely a ransomware attack traced to a phishing email, compounded by poor security practices like failing to encrypt sensitive data. A secondary exposure occurred when an external investigation firm mishandled client data. The firm faced significant regulatory scrutiny for delaying customer notification by over a year, leading to a settlement requiring a \$60,000 penalty and mandated security enhancements.
## Incident Details
- **Discovery Date:** July 28, 2023 (Incident 1); May 31, 2024 (Incident 2)
- **Incident Date:** Initial incident occurred on or before July 28, 2023. Second incident occurred on May 31, 2024.
- **Affected Organization:** Wojeski & Company (Public Accounting Firm)
- **Sector:** Accounting / Financial Services
- **Geography:** New York
## Timeline of Events
### Initial Access
- **Date/Time:** On or before July 28, 2023 (Incident 1)
- **Vector:** Phishing email sent to an employee.
- **Details:** Employees realized they were experiencing a ransomware attack when unable to access certain files.
### Lateral Movement
- *Not explicitly detailed, but implied by the nature of the ransomware attack and the subsequent investigation.*
### Data Exfiltration/Impact
- **Date/Time:** Following initial breach (Incident 1); May 31, 2024 (Incident 2)
- **Vector:** Ransomware infection (Incident 1); Improper access and external emailing by a forensic/investigation firm employee (Incident 2).
- **Details:** During the investigation of Incident 1, it was found that customer Social Security Numbers (SSNs) were not encrypted on parts of the network. In Incident 2, an employee of a firm hired for the investigation improperly accessed customer data and emailed it to several external addresses without authorization.
### Detection & Response
- **Date/Time:**
- **July 28, 2023:** Wojeski employees detected the ransomware attack (Incident 1).
- **May 31, 2024:** Wojeski was notified of the second data breach (Incident 2).
- **November 2024:** Wojeski finally notified affected customers of *both* security breaches (over a year after the first incident).
- **Response Actions:** Contained the threat (Incident 1), launched investigations for both, offered one year of free credit report monitoring to affected individuals, and reached a settlement with the OAG.
## Attack Methodology
- **Initial Access:** Phishing (Incident 1).
- **Persistence:** *Not specified.*
- **Privilege Escalation:** *Not specified.*
- **Defense Evasion:** *Not specified in detail, but the fact that the attack was successful suggests inadequate protective controls.*
- **Credential Access:** *Not specified.*
- **Discovery:** *Not specified, though the second incident shows a major failure in third-party vendor vetting/security.*
- **Lateral Movement:** *Implied.*
- **Collection:** Attackers gathered names, DOBs, SSNs, driver's license numbers, financial account numbers, medical benefits, and entitlement information.
- **Exfiltration:** *Incident 1 likely involved exfiltration associated with the ransomware; Incident 2 involved unauthorized external emailing by a compromised trusted third party.*
- **Impact:** Business disruption due to ransomware and exposure of PII/Sensitive data.
## Impact Assessment
- **Financial:** \$60,000 in penalties paid to the NY OAG. Costs associated with remediation and credit monitoring.
- **Data Breach:**
- **Incident 1:** Exposed data of 5,881 individuals (4,726 NY residents).
- **Incident 2:** Exposed data of 351 individuals (267 NY residents).
- **Total Scope:** Exposure of Names, Dates of Birth, SSNs, Driver's License Numbers, Financial Account Numbers, Medical Benefits, and Entitlement Information (SSNs and other data were found unencrypted).
- **Operational:** Disruption due to ransomware attack on July 28, 2023.
- **Reputational:** Public settlement announced by the Attorney General; damage to trust from significant delay in public notification.
## Indicators of Compromise
*No specific IoCs (IPs, domains, file hashes) were provided in the text.*
- **Behavioral Indicators:** Unexplained inability to access files, ransomware locking systems, unauthorized emailing of sensitive documents by an external vendor.
- **Configuration Indicators:** Failure to encrypt PII (specifically SSNs) across parts of the network.
## Response Actions
- **Containment (Incident 1):** Threat was contained after discovery on July 28, 2023.
- **Eradication:** *Not detailed.*
- **Recovery:** *Not detailed.*
- **Regulatory/Public Response:** Notification sent to victims in November 2024 (delayed over one year). Offered one year of free credit report monitoring. Negotiated settlement with NY OAG.
## Lessons Learned
1. **Third-Party Risk Management Failure:** Allowing a hired investigation firm to improperly handle and exfiltrate sensitive client data demonstrates a critical failure in vendor oversight and data handling protocols during incident response.
2. **Encryption is Mandatory:** The existence of accessible, unencrypted SSNs on the network contributed directly to the scope of harm.
3. **Regulatory Compliance & Timeliness:** Failing to notify victims soon after a breach (notifying over a year later for the first incident) results in substantial penalties and regulatory action.
4. **Security Hygiene:** Basic attacks like phishing can succeed if cybersecurity controls are insufficient, leading to ransomware.
## Recommendations
1. **Implement Comprehensive Encryption:** Immediately ensure all collected, stored, transmitted, and maintained Personal Identifying Information (PII), especially SSNs, is encrypted using strong, modern standards.
2. **Develop and Test Incident Response Plan (IRP):** Establish a formal IRP that mandates specific, timely notification procedures for all confirmed data breaches to meet legal requirements.
3. **Enhance Vendor Security Standards:** Implement strict contractual obligations and audit procedures for any third party handling sensitive client data, ensuring vendor employees adhere to the same security standards as internal staff (focus on preventing external emailing).
4. **Mandatory Security Training:** Implement and enforce regular, comprehensive cybersecurity training for all employees, focusing heavily on recognizing and reporting phishing attempts.
5. **Asset Inventory:** Create and maintain a complete inventory detailing where all sensitive personal data resides across the network.