Cyber Incident Victim: Harding, Shymanski & Company

On March 15, 2023, Harding, Shymanski & Company (HSC) discovered that several clients had fraudulent tax returns filed in their names, prompting an immediate response. The firm secured its network, notified law enforcement, and engaged third-party cybersecurity experts to investigate the incident. The investigation revealed that an unauthorized party had compromised a single employee’s credentials, using them to access 2021 tax returns and other files containing sensitive client data. This breach exposed personal information, including names, dates of birth, Social Security numbers, driver’s license numbers, bank account and routing numbers, and investment or brokerage account details. By March 27, 2023, HSC completed its review of affected files to identify the compromised information and impacted individuals. The incident directly affected clients who had utilized HSC’s accounting or tax preparation services, with confirmed cases of fraudulent activity already reported by some victims.

On April 11, 2023, HSC filed a formal notice with the Montana Attorney General and began mailing data breach notifications to all affected individuals. The firm did not disclose the total number of impacted clients or the exact method of initial credential compromise. Founded in 1975 and operating primarily in Kentucky and Indiana, HSC serves clients across multiple industries, including construction, healthcare, and manufacturing. The breach compromised data essential to identity theft and financial fraud, creating risks for unauthorized tax filings and potential misuse of banking or brokerage details. HSC’s response focused on containment, external collaboration, and regulatory compliance, though the breach underscores vulnerabilities in credential management and tax document security. The incident disrupted client trust and necessitated ongoing vigilance against fraud for those whose data was exposed.