Sax LLP, a top-ranked US accounting firm, has begun notifying over 220,000 individuals that sensitive personal data was compromised in a cyberattack that went undisclosed for more than 16 months.
Based in New Jersey, Sax is a top 100 accounting and advisory company with an annual revenue exceeding $100 million.
In a filing with the Maine Attorney General’s Office, Sax revealed that it had detected a network intrusion on August 7, 2024. However, it took the company well over a year to complete its investigation and identify contact information for the impacted individuals.
The probe showed that hackers likely gained access to its systems in late July 2024 and managed to obtain files containing the personal information of 228,876 individuals.
According to Sax, the compromised information varies for each individual, but can include name, date of birth, SSN, driver’s license or state identification number, and passport number.
SecurityWeek has not seen any known ransomware group take credit for an attack on Sax. It’s possible that the company was targeted by cybercriminals who do not have a public leak website, or the firm may have paid a ransom to prevent the data from being made public or distributed to others.
The company is offering impacted individuals 12 months of free credit monitoring, dark web monitoring, credit protection, and identity restoration services.
However, the significant delay in notifying victims renders these services functionally obsolete because cybercriminals typically monetize stolen information within the first few months following the breach.
Related: Coupang to Issue $1.17 Billion in Vouchers Over Data Breach
Related: 22 Million Affected by Aflac Data Breach
Related: Hacker Claims Theft of 40 Million Condé Nast Records After Wired Data Leak
Related: 3.5 Million Affected by University of Phoenix Data Breach
