Wojeski & Co., a firm based in Albany, New York, has reached a $60,000 settlement with New York Attorney General Letitia James after the firm was hit by two data breaches and ransomware attacks, exposing the personal information of over 4,700 people.
James's office found the firm took over a year to tell victims about the cyberattacks, even though it's required to notify them soon after a breach. Under the agreement announced Monday, the firm is required to pay $60,000 in penalties and take steps to improve its cybersecurity measures. Individuals who were affected by the data breaches have been offered one year of free credit report monitoring.
"Ransomware attacks like the ones at Wojeski put consumers at risk," James said in a statement. "As an accounting firm, Wojeski should have taken stronger measures to protect New Yorkers' personal data and prevent data breaches that could lead to identity theft and other types of fraud. When New Yorkers pay for a service, they should trust that the company they are paying will not expose their private information. Companies must do more to protect their customers' data and my office will not hesitate to hold them to account."
On July 28, 2023, Wojeski employees realized they were undergoing a ransomware attack when they couldn't access certain files in their systems. After containing the threat and launching an investigation, Wojeski discovered the cyberattack was probably caused by a phishing email sent to one of their employees. The investigation also found that customers' Social Security numbers were not encrypted in parts of the company's network.
On May 31, 2024, Wojeski learned of another data breach when an employee from a firm hired to help with the investigation improperly accessed customer data located in the files that Wojeski had sent for review. The employees were also sending the information to several external email addresses without authorization.
Wojeski didn't notify its clients about either security breach until November 2024, a year and a half after their personal data was originally jeopardized. The personal data exposed in one or both incidents included names, dates of birth, Social Security numbers, drivers' license numbers, email addresses, phone numbers, financial account numbers, medical benefits and entitlement information. The 2023 data breach affected 5,881 individuals, and the 2024 breach affected 351 individuals. Following the data breaches, Wojeski offered free credit monitoring to the individuals who were impacted.
Wojeski did not immediately respond to a request for comment.
As a result of the agreement with the New York Attorney General, Wojeski will pay $60,000 in penalties and is required to adopt stricter security standards to better protect the personal information of its customers in the future, including:
- Maintaining a comprehensive information security program to protect customer information;
- Encrypting personal information that the company collects, stores, transmits and/or maintains;
- Developing and maintaining an inventory of where personal data is being stored within its network;
- Maintaining reasonable account management and authentication processes that limit employees' access to sensitive information as necessary;
- Establishing a program designed to identify and correct security vulnerabilities within its computer network;
- Implementing an incident response plan ensuring timely notice to consumers; and,
- Implementing a cybersecurity training program to be completed by all employees.
For her part, James has been in the news lately after she was indicted for bank fraud earlier this month by a grand jury. President Trump had publicly urged U.S. Attorney General Pam Bondi and the Justice Department to investigate her. James had successfully led a case against Trump in which he was found
