Wojeski & Company suffered a ransomware attack, and then an insider breach when an employee of a firm hired to investigate the breach inappropriately accessed data. Employees were also transmitting data to external accounts without authorization. To make things even worse, the accounting firm took more than a year to notify those affected. From a press release from the NY Attorney General’s Office:
October 20, 2025
NEW YORK – New York Attorney General Letitia James today announced a settlement with a public accounting firm, Wojeski & Company (Wojeski), to strengthen its data security to protect consumers’ data. Wojeski did not take proper measures to secure their clients’ personal information and suffered two cybersecurity incidents that exposed the private information of more than 4,700 New Yorkers. An investigation by the Office of the Attorney General (OAG) found that Wojeski took over a year to notify victims of the data breach, despite being required to notify victims soon after a breach. As a result of today’s agreement, Wojeski must pay $60,000 in penalties and take steps to improve its cybersecurity measures. Individuals who were affected by the data breaches were offered one year of free credit report monitoring.
“Ransomware attacks like the ones at Wojeski put consumers at risk,” said Attorney General James. “As an accounting firm, Wojeski should have taken stronger measures to protect New Yorkers’ personal data and prevent data breaches that could lead to identity theft and other types of fraud. When New Yorkers pay for a service, they should trust that the company they are paying will not expose their private information. Companies must do more to protect their customers’ data and my office will not hesitate to hold them to account.”
Wojeski is a certified public accounting firm. On July 28, 2023, Wojeski employees realized they were experiencing a ransomware attack when they were unable to access certain files in their systems. After containing the threat and launching an investigation, Wojeski found that the cyberattack was likely caused by a phishing email sent to one of their employees. The investigation also found that customers’ social security numbers were not encrypted in parts of the company’s network. On May 31, 2024, Wojeski was notified of another data breach when an employee from a firm hired to help with the investigation improperly accessed customer data located in the files that Wojeski had sent for review. The employees were also sending the information to several external email addresses without authorization.
Wojeski did not notify customers of either security breach until November 2024, a year and a half after their clients’ personal data was first jeopardized. Personal data exposed in one or both incidents included names, dates of birth, social security numbers, drivers’ license numbers, email addresses, phone numbers, financial account numbers, medical benefits, and entitlement information. The 2023 data breach affected 5,881 individuals, 4,726 of whom were New York residents, and the 2024 breach affected a total of 351 individuals, 267 of whom were New York residents. Following the data breaches, Wojeski offered impacted individuals free credit monitoring.
As a result of today’s agreement, Wojeski will pay $60,000 in penalties and the company is required to adopt stricter security standards to better protect the personal information of its customers in the future, including:
- Maintaining a comprehensive information security program to protect the security, integrity, and confidentiality of customer information;
- Encrypting personal information that the company collects, stores, transmits, and/or maintains;
- Developing and maintaining an inventory of where personal data is being stored within its network;
- Maintaining reasonable account management and authentication processes that limit employees’ access to sensitive information as necessary;
- Establishing a program designed to identify and correct security vulnerabilities within its computer network;
- Implementing an incident response plan ensuring timely notice to consumers; and
- Implementing a cybersecurity training program to be completed by all employees.
Source: New York Attorney General Letitia James
The state does not seem to have uploaded the agreement and terms Wojeski accepted.