Cyber Incident Victim: Rubino & Company

On April 19, 2023, the accounting firm Rubino & Company filed an official notice of a data breach with the Massachusetts Attorney General. This filing was the public confirmation of a cybersecurity incident in which an unauthorized party gained access to the company’s IT network. The access resulted in the compromise of confidential consumer information stored on the network. The discovery that sensitive data had been exposed to an unauthorized party prompted the company to initiate an internal review of the affected files. The purpose of this review was to determine the specific types of information that were compromised and to identify the specific consumers who were impacted by this event. The investigation revealed that the breached information varied from individual to individual but included the names and Social Security numbers of consumers.

Following the confirmation that consumer data had been leaked, Rubino & Company began the process of sending out data breach notification letters to all individuals whose information was involved in the incident. These letters were intended to inform the victims about the breach and the potential risks associated with the exposure of their personal data. The company’s official data breach letters also contained more detailed information regarding the nature of the cybersecurity event, the specific dates during which the unauthorized access occurred, and a description of the actions the company took upon first learning of the breach. As part of its response, Rubino & Company offered free credit monitoring services to all victims of the breach to help them protect against potential fraud and identity theft.

The public reporting of the incident was conducted exclusively through the filing with the Massachusetts Attorney General on April 19, 2023. At the time of this filing, the company had not yet posted a notice of the incident on its own corporate website, making the Attorney General’s website the primary source of initial information. Consequently, publicly available details about the breach were limited to what was contained in that official state filing. The incident involved unauthorized access to the firm's network, but no further specifics regarding the attack vector, such as ransomware, phishing, or malware, were disclosed in the available public information. Similarly, the exact timeline of events, including the initial date of compromise, the date of detection, and the duration of the unauthorized access, was not detailed in the public filing and was instead reserved for the individual breach notification letters sent to affected consumers.

Rubino & Company is an accounting firm headquartered in Bethesda, Maryland, with additional office locations in Maryland, Virginia, and California. The firm provides a range of services including tax preparation, audit services, and wealth management to a national client base. With more than 81 employees and annual revenue of approximately $17 million, the company manages a significant amount of sensitive financial and personal data as part of its core business operations. The breach of its IT network directly impacted this data, exposing consumers to an increased risk of identity theft and financial fraud. The compromised data elements, specifically names and Social Security numbers, are highly valuable to cybercriminals who use such information to commit various forms of fraud.

The company’s response actions included the internal review of compromised files, official reporting to government authorities, and direct notification to affected individuals. The offering of credit monitoring services was a direct mitigation step aimed at assisting the victims. The full scope of the breach, including the total number of individuals affected, was not disclosed in the initial public filing. The incident represents a compromise of a professional services firm that retains sensitive consumer information, leading to the potential exposure of that data for malicious purposes. The filing with the Massachusetts Attorney General constitutes the company's compliance with state data breach notification laws, which require organizations to inform regulators and consumers when personal information is acquired by an unauthorized party.