Full Report
Wojeski & Company suffered a ransomware attack, and then an insider breach when an employee of a firm hired to investigate the breach inappropriately accessed data. Employees were also transmitting data to external accounts without authorization. To make things even worse, the accounting firm took more than a year to notify those affected. From a... Source
Analysis Summary
# Incident Report: Dual Compromise at Wojeski & Company (Ransomware and Insider Data Misuse)
## Executive Summary
Wojeski & Company, a public accounting firm, suffered two distinct cybersecurity incidents between July 2023 and May 2024, exposing the personal data of over 4,700 New Yorkers. The initial incident was a ransomware attack likely caused by phishing, followed by a separate internal breach where an investigation contractor improperly accessed and exfiltrated client data. Compounding the failures, the firm delayed notifying affected parties by over a year, resulting in a $60,000 settlement with the NY Attorney General and mandated security improvements.
## Incident Details
- Discovery Date: July 28, 2023 (Ransomware); May 31, 2024 (Insider Breach)
- Incident Date: Ransomware occurred on or before July 28, 2023; Insider breach occurred on or before May 31, 2024. Notification occurred in November 2024.
- Affected Organization: Wojeski & Company
- Sector: Accounting/Public Accounting Firm
- Geography: New York (Focus of AG action)
## Timeline of Events
### Initial Access (Ransomware)
- Date/Time: On or before July 28, 2023
- Vector: Phishing Email
- Details: An employee fell victim to a phishing email, which led to a ransomware attack resulting in file inaccessibility.
### Secondary Compromise (Insider Breach)
- Date/Time: On or before May 31, 2024
- Vector: Misuse by an external contractor
- Details: During a forensic investigation into the initial breach, an employee of the hired investigation firm improperly accessed customer data sent for review. This individual also sent information to several external email addresses without authorization.
### Data Exfiltration/Impact
- **2023 Breach Total:** 5,881 individuals affected, 4,726 NY residents. Exposed data included names, DOBs, SSNs, driver's license numbers, email addresses, phone numbers, financial account numbers, medical benefits, and entitlement information. Key finding: SSNs were not encrypted in portions of the network.
- **2024 Breach Total:** 351 individuals affected, 267 NY residents. The scope was limited to data accessed and exfiltrated by the contractor.
### Detection & Response
- **Detection (Ransomware):** July 28, 2023, when employees realized files were inaccessible.
- **Detection (Insider):** May 31, 2024, when Wojeski was notified of the improper access by the contractor.
- **Response Actions:** Threat contained (Ransomware), investigation launched, third-party firm hired. Remediation included paying a $60,000 penalty to NY AG and agreeing to significant security upgrades. Impacted individuals were offered one year of free credit monitoring. **Critically, notification to victims did not occur until November 2024.**
## Attack Methodology
- **Initial Access:** Phishing (for ransomware); Authorized (but misused) access granted to an external investigation firm (for insider breach).
- **Persistence:** Not explicitly detailed, but the second breach demonstrated lateral data access capabilities through the incident response process.
- **Privilege Escalation:** Not explicitly detailed, but the contractor had access to sensitive files for investigation purposes.
- **Defense Evasion:** The lack of encryption on SSNs was a critical failure enabling easy exposure during both incidents.
- **Credential Access:** Not explicitly detailed, though SSNs and financial data were exposed.
- **Discovery:** Initial reconnaissance unclear post-phishing; Investigation firm performed data discovery, which was then misused.
- **Lateral Movement:** Contractor moved data from project files to unauthorized external email addresses.
- **Collection:** Names, DOBs, SSNs, driver's licenses, financial/medical/entitlement info were collected.
- **Exfiltration:** Data sent to "several external email addresses" by the contractor.
- **Impact:** Exposure of PII, potential identity theft risk, regulatory scrutiny, and financial penalties.
## Impact Assessment
- **Financial:** $60,000 in penalties paid to the NY AG, cost of remediation, cost of credit monitoring offered.
- **Data Breach:** Names, DOBs, SSNs, Driver's licenses, Financial account numbers, Medical/Entitlement data exposed across two separate incidents affecting thousands of individuals (4,726 NY residents impacted overall).
- **Operational:** Disruption was indicated by the initial ransomware, though specific downtime is not documented. Significant regulatory and reputational damage from late notification.
- **Reputational:** Public settlement announcement by the NY AG highlights significant failure in protecting client data.
## Indicators of Compromise
*Note: Specific IoCs were not provided in the text, only incident vectors.*
- **Network indicators:** N/A (No malicious IPs/domains listed)
- **File indicators:** N/A
- **Behavioral indicators:** Unauthorized transmission of client investigation files/data to external email accounts by an external contractor; failure to access internal network files (Ransomware indication).
## Response Actions
- **Containment:** The ransomware threat was contained shortly after discovery on 7/28/2023.
- **Eradication:** Contract with the offending investigation firm employee/firm likely severed; security measures mandated by settlement enacted.
- **Recovery actions:** Offered one year of free credit reporting monitoring to impacted individuals.
## Lessons Learned
- **Vendor Risk Management:** Third-party contractors investigating breaches must have extremely limited and strictly audited access to sensitive data.
- **Data Minimization/Encryption:** Storing sensitive PII (like SSNs) unencrypted in any part of the network represents a critical, exploitable vulnerability.
- **Timeliness of Disclosure:** The delay of over a year in notifying victims severely exacerbated regulatory risk and potential consumer harm. Incident response plans must prioritize timely notification as mandated by law.
## Recommendations
- Immediately implement mandatory encryption at rest and in transit for all PII, especially Social Security Numbers and financial details.
- Review and segregate the handling of incident data: only a strictly necessary subset of data should be shared with external forensic firms, and access must be time-limited and logged.
- Develop and strictly adhere to an Incident Response Plan that includes immediate identification of regulatory notification deadlines (e.g., "notify victims soon after a breach") and audit compliance.
- Implement robust, mandatory cybersecurity awareness training focusing heavily on phishing identification for all employees.