New York Attorney General Letitia James has reached a settlement with Wojeski & Company, a public accounting firm, after the company failed to adequately protect clients’ personal information. The settlement comes after two cybersecurity incidents exposed the private data of more than 4,700 New Yorkers.
An investigation by the Office of the Attorney General (OAG) found that Wojeski took over a year to notify victims about the breaches, despite legal requirements for prompt notification. Under the agreement announced today, Wojeski will pay $60,000 in penalties and must implement new cybersecurity measures. Impacted individuals were offered one year of free credit report monitoring.
“Ransomware attacks like the ones at Wojeski put consumers at risk,” said Attorney General James. “As an accounting firm, Wojeski should have taken stronger measures to protect New Yorkers’ personal data and prevent data breaches that could lead to identity theft and other types of fraud. When New Yorkers pay for a service, they should trust that the company they are paying will not expose their private information. Companies must do more to protect their customers’ data and my office will not hesitate to hold them to account.”
Wojeski experienced its first incident on July 28, 2023, when employees discovered a ransomware attack had blocked access to certain files. The company’s investigation determined that a phishing email was likely responsible for the breach and found that some social security numbers were not encrypted within its network. On May 31, 2024, another breach occurred when an employee from an outside firm hired for the investigation improperly accessed customer data and sent it externally without authorization.
Despite these incidents, customers were not notified until November 2024—about eighteen months after their information was compromised. Data exposed included names, dates of birth, social security numbers, driver’s license numbers, email addresses, phone numbers, financial account details, medical benefits information, and entitlement records. The first breach affected nearly 5,900 people—over 4,700 from New York—and the second affected 351 individuals including 267 state residents.
As part of its settlement with OAG, Wojeski is required to adopt several new security protocols: maintaining a comprehensive information security program; encrypting all collected or stored personal information; keeping an inventory of where such data is stored; restricting employee access based on necessity; establishing processes for identifying vulnerabilities; creating an incident response plan with timely consumer notifications; and requiring all employees to complete cybersecurity training.
“This breach is a serious reminder that protecting personal information isn’t optional,” said Albany County Executive Daniel P. McCoy. “When businesses handle sensitive data, they owe it to their clients and our community to safeguard that information. I appreciate Attorney General James’ efforts to hold this firm accountable, and I hope this serves as a reminder to every organization that data privacy must be treated with the same care as any other public trust.”
“The protection of every New Yorker’s personal data and privacy must always be a top priority,” said Senator Patricia Fahy. “I commend Attorney General James for taking decisive action to hold this firm accountable and ensure stronger safeguards are in place moving forward. Data security is a matter of public trust, and this settlement highlights the importance of protecting personal and sensitive data.”
“Protecting the personal information of those we serve must always be a top priority,” said Assemblymember John T. McDonald III. “This settlement is a reminder that every organization handling personal data must take cybersecurity seriously. I commend Attorney General James for her continued work to ensure New Yorkers’ information is protected.”
“Protecting the personal data of New Yorkers is a fundamental responsibility of any business entrusted with sensitive information,” said Assemblymember Gabriella A. Romero. “When a firm fails to act quickly after a data breach, it’s not just a lapse in cybersecurity, it’s a lapse in trust. I am continually proud to be represented by a strong advocate like Attorney General Letitia James, who time and time again defends New Yorkers’ right to privacy and security. Albany businesses must take this as a reminder that transparency, strong data protections, and swift actions are essential to maintaining public confidence.”
Attorney General James has previously taken similar actions against companies failing in cybersecurity practices—including lawsuits against insurance companies Allstate and Root Insurance earlier this year following major breaches affecting tens of thousands of residents; settlements with Noblr auto insurance ($500K), GEICO/Travelers ($11M), Capital Region health care provider ($2M+), biotech firms ($4M+); as well as releasing privacy guides aimed at helping both businesses and consumers better secure online activity.
The case was handled by Deputy Bureau Chief Clark Russell from the Bureau of Internet and Technology under Bureau Chief Kim Berger within the Division for Economic Justice.
