Accounting firm Perkins & Co. in Portland Oregon has submitted a notification to the Vermont Attorney General’s Office about a breach that goes back to 2020 — the Netgain ransomware incident that impacted numerous clients and individuals.
According to Perkins’ notification, Netgain first notified them of the breach in December 2020. So why did it take until May 2022 for Perkins to determine who they needed to notify? Did they have an unusually high number of people impacted? Why does their notification appear to be so much later than others?
It turns out that this is not Perkins & Co.’s first notification about this breach. Counsel for Perkins & Co. filed notifications to the Maine Attorney General’s Office in March 2021 on behalf of Wieden+Kennedy (2,642 affected), in April 2021 on behalf of Barrett Business Services, Inc. (23,018 affected) and on behalf of eight other clients (53,768 affected), and on May 4, 2021 on behalf of M. Financial Holdings Incorporated (12,379 affected). In May 2021, a notification to the New Hampshire Attorney General’s Office also noted two other clients who were affected, although no numbers were disclosed.
Whether the May 27, 2022 notice to Vermont indicates that there are yet others first being notified is unknown to DataBreaches.
You can read their full May 27 notification letter at the Vermont Attorney General’s website.