Cyber Incident Victim: Act21

On February 13, 2024, Act21, a corporate social responsibility subsidiary of professional services firm Baker Tilly, experienced a cyberattack that disrupted client access to its software platforms and associated data. The attack involved system encryption, rendering client data and applications inaccessible. Baker Tilly confirmed the incident publicly, stating initial investigations indicated no evidence of data exfiltration but confirmed encryption of client information. The attack specifically targeted Act21’s infrastructure, though the exact ransomware variant or threat actor was not identified in available reports. Act21’s client-facing systems became non-operational, preventing clients from accessing their proprietary data hosted on the platform. The parent company emphasized that Act21’s software tools were not directly integrated into clients’ operational workflows, limiting immediate business process disruptions for those organizations.

Baker Tilly mobilized internal IT teams alongside external cybersecurity specialists to investigate the incident and initiate recovery procedures. Despite these efforts, the company acknowledged an inability to provide clients with a timeline for full data restoration or system availability. Impacted clients—including Les Mousquetaires, CETIH, Ubisoft, the Caisse des Dépôts group, Agence nationale de l’habitat, Université Gustave Eiffel, and public sector entities in Brussels—were notified of the disruption. The response focused on forensic analysis to confirm the absence of data theft and decryption efforts to restore client access. No secondary impacts on Baker Tilly’s core auditing, consulting, or accounting services were reported, as Act21 operates as a distinct business unit. The incident remained unresolved at the time of reporting, with recovery complexity prolonging service restoration efforts.