Attorney General James Announces Settlement with Accounting Firm for Failing to Protect New Yorkers’ Personal Data

NEW YORK – New York Attorney General Letitia James today announced a settlement with a public accounting firm, Wojeski & Company (Wojeski), to strengthen its data security to protect consumers’ data. Wojeski did not take proper measures to secure their clients’ personal information and suffered two cybersecurity incidents that exposed the private information of more than 4,700 New Yorkers. An investigation by the Office of the Attorney General (OAG) found that Wojeski took over a year to notify victims of the data breach, despite being required to notify victims soon after a breach. As a result of today’s agreement, Wojeski must pay $60,000 in penalties and take steps to improve its cybersecurity measures. Individuals who were affected by the data breaches were offered one year of free credit report monitoring.

“Ransomware attacks like the ones at Wojeski put consumers at risk,” said Attorney General James. “As an accounting firm, Wojeski should have taken stronger measures to protect New Yorkers’ personal data and prevent data breaches that could lead to identity theft and other types of fraud. When New Yorkers pay for a service, they should trust that the company they are paying will not expose their private information. Companies must do more to protect their customers’ data and my office will not hesitate to hold them to account.”

Wojeski is a certified public accounting firm. On July 28, 2023, Wojeski employees realized they were experiencing a ransomware attack when they were unable to access certain files in their systems. After containing the threat and launching an investigation, Wojeski found that the cyberattack was likely caused by a phishing email sent to one of their employees. The investigation also found that customers’ social security numbers were not encrypted in parts of the company’s network. On May 31, 2024, Wojeski was notified of another data breach when an employee from a firm hired to help with the investigation improperly accessed customer data located in the files that Wojeski had sent for review. The employees were also sending the information to several external email addresses without authorization. 

Wojeski did not notify customers of either security breach until November 2024, a year and a half after their clients’ personal data was first jeopardized. Personal data exposed in one or both incidents included names, dates of birth, social security numbers, drivers’ license numbers, email addresses, phone numbers, financial account numbers, medical benefits, and entitlement information. The 2023 data breach affected 5,881 individuals, 4,726 of whom were New York residents, and the 2024 breach affected a total of 351 individuals, 267 of whom were New York residents. Following the data breaches, Wojeski offered impacted individuals free credit monitoring.

As a result of today’s agreement, Wojeski will pay $60,000 in penalties and the company is required to adopt stricter security standards to better protect the personal information of its customers in the future, including:

• Maintaining a comprehensive information security program to protect the security, integrity, and confidentiality of customer information;
• Encrypting personal information that the company collects, stores, transmits, and/or maintains;
• Developing and maintaining an inventory of where personal data is being stored within its network;
• Maintaining reasonable account management and authentication processes that limit employees’ access to sensitive information as necessary;
• Establishing a program designed to identify and correct security vulnerabilities within its computer network;
• Implementing an incident response plan ensuring timely notice to consumers; and
• Implementing a cybersecurity training program to be completed by all employees. 

“This breach is a serious reminder that protecting personal information isn’t optional,” said Albany County Executive Daniel P. McCoy. “When businesses handle sensitive data, they owe it to their clients and our community to safeguard that information. I appreciate Attorney General James’ efforts to hold this firm accountable, and I hope this serves as a reminder to every organization that data privacy must be treated with the same care as any other public trust.”

“The protection of every New Yorker’s personal data and privacy must always be a top priority,” said Senator Patricia Fahy. “I commend Attorney General James for taking decisive action to hold this firm accountable and ensure stronger safeguards are in place moving forward. Data security is a matter of public trust, and this settlement highlights the importance of protecting personal and sensitive data.”

“Protecting the personal information of those we serve must always be a top priority,” said Assemblymember John T. McDonald III. “This settlement is a reminder that every organization handling personal data must take cybersecurity seriously. I commend Attorney General James for her continued work to ensure New Yorkers' information is protected.”

“Protecting the personal data of New Yorkers is a fundamental responsibility of any business entrusted with sensitive information,” said Assemblymember Gabriella A. Romero. “When a firm fails to act quickly after a data breach, it's not just a lapse in cybersecurity, it's a lapse in trust. I am continually proud to be represented by a strong advocate like Attorney General Letitia James, who time and time again defends New Yorkers' right to privacy and security. Albany businesses must take this as a reminder that transparency, strong data protections, and swift actions are essential to maintaining public confidence.”

Attorney General James has consistently held companies accountable for having poor cybersecurity. In March 2025, Attorney General James sued Allstate and Root Insurance for failing to protect New Yorkers’ information, causing more than 165,000 and 45,000 respectively New Yorkers’ information to be exposed. In December 2024, Attorney General James announced a $500,000 settlement with Noblr auto insurance for inadequate data security. In November 2024, Attorney General James and Department of Financial Services Superintendent Adrienne Harris secured $11.3 million from GEICO and Travelers for having poor data security. In October 2024, Attorney General James secured $2.25 million from a Capital Region health care provider for failing to protect the private information and medical data of New Yorkers. In August 2024, Attorney General James and a multistate coalition secured $4.5 from a biotech company for failing to protect patient data. In July 2024, Attorney General James launched two privacy guides, a Business Guide to Website Privacy Controls and a Consumer Guide to Tracking on the Web, to help businesses and consumers protect themselves. 

This matter was handled by Deputy Bureau Chief Clark Russell of the Bureau of Internet and Technology, under the supervision of Bureau Chief Kim Berger. The Bureau of Internet and Technology is a part of the Division for Economic Justice, which is led by Chief Deputy Attorney General Chris D’Angelo and overseen by First Deputy Attorney General Jennifer Levy.