Cyber Incident Victim: Sax LLP
Date:
Jul 2024
Location:
United States of America
Summary
A major US accounting firm experienced a cyberattack compromising sensitive personal information of over 220,000 individuals, including names, dates of birth, Social Security numbers, and government-issued identification details. The intrusion was detected after unauthorized access occurred, but notification delays exceeding 16 months hindered timely response efforts; the organization provided affected parties with complimentary credit monitoring and identity protection services, though such measures are typically most effective when implemented promptly following a breach.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 0 motives | 0 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
Sax LLP, a New Jersey-based accounting and advisory firm ranked among the top 100 in the US with annual revenue exceeding $100 million, experienced a significant cybersecurity incident in 2024. The company detected unauthorized access to its network on August 7, 2024, following an investigation that determined attackers likely infiltrated systems in late July 2024. Forensic analysis revealed the attackers exfiltrated files containing sensitive personal information belonging to 228,876 individuals. The compromised data varied per victim but included combinations of full names, dates of birth, Social Security numbers, driver's license or state identification numbers, and passport numbers. Sax LLP did not publicly disclose the breach until over 16 months after detection, delaying notification while completing its investigation and verifying contact details for affected parties. The company formally reported the incident to the Maine Attorney General's Office as part of its disclosure obligations. No ransomware group claimed responsibility for the attack during the 16-month period between intrusion detection and public disclosure, leaving the attackers' identity and motives unconfirmed by available evidence.
The breach exposed victims to potential identity theft and financial fraud due to the highly sensitive nature of the stolen identifiers. Sax LLP initiated notification letters to all 228,876 impacted individuals more than a year after confirming the breach, offering 12 months of complimentary credit monitoring, dark web surveillance, credit protection, and identity restoration services through a third-party provider. This delayed response significantly reduced the effectiveness of protective measures, as cybercriminals typically exploit stolen personal data within months of acquisition. The extended 16-month gap between breach detection and victim notification created operational challenges for individuals seeking to secure their compromised information. The incident's scope and prolonged investigation timeline underscored systemic vulnerabilities in Sax LLP's incident response protocols, particularly regarding forensic analysis efficiency and regulatory compliance timelines. No public evidence emerged regarding whether Sax LLP paid ransom demands or negotiated with threat actors to prevent further dissemination of stolen data.