NEW YORK — New York Attorney General Letitia James has revealed a settlement with the public accounting firm Wojeski & Company following two data breaches that compromised the personal information of over 4,700 residents of New York, highlighting serious cybersecurity shortcomings and a delay in informing the victims.
The breaches took place in 2023 and 2024, affecting sensitive information including Social Security numbers, financial account details, and medical benefits. Although the first breach was identified in July 2023, Wojeski failed to inform the impacted clients until November 2024 — more than a year later.
Under the settlement, Wojeski will pay a $60,000 penalty and implement a series of enhanced cybersecurity measures, including:
“Ransomware attacks like the ones at Wojeski put consumers at risk,” said Attorney General James. “As an accounting firm, Wojeski should have taken stronger measures to protect New Yorkers’ personal data and prevent data breaches that could lead to identity theft and other types of fraud. When New Yorkers pay for a service, they should trust that the company they are paying will not expose their private information. Companies must do more to protect their customers’ data and my office will not hesitate to hold them to account.”
- Encrypting personal data
- Limiting employee access to sensitive information
- Developing a comprehensive incident response plan
- Conducting regular security audits
- Providing cybersecurity training to staff
The initial breach resulted from a phishing attack that triggered a ransomware infection. In contrast, the second breach happened when a third-party contractor accessed client data inappropriately and disseminated it through unauthorized email accounts.
“This breach is a serious reminder that protecting personal information isn’t optional,” said Albany County Executive Daniel P. McCoy. “When businesses handle sensitive data, they owe it to their clients and our community to safeguard that information. I appreciate Attorney General James’ efforts to hold this firm accountable, and I hope this serves as a reminder to every organization that data privacy must be treated with the same care as any other public trust.”
“The protection of every New Yorker’s personal data and privacy must always be a top priority,” said Senator Patricia Fahy. “I commend Attorney General James for taking decisive action to hold this firm accountable and ensure stronger safeguards are in place moving forward. Data security is a matter of public trust, and this settlement highlights the importance of protecting personal and sensitive data.”
“Protecting the personal information of those we serve must always be a top priority,” said Assemblymember John T. McDonald III. “This settlement is a reminder that every organization handling personal data must take cybersecurity seriously. I commend Attorney General James for her continued work to ensure New Yorkers’ information is protected.”
The more than 4,700 New Yorkers affected were offered one year of free credit monitoring by the firm.
