Chicago Accountancy Firm Discovers Data was Stolen in December 2020 Ransomware Attack

The Chicago, IL-based accountancy firm Bansley and Kiener LLP has announced it was the victim of a December 2020 ransomware attack that saw certain files within its systems encrypted. The attack only caused temporary disruption, and it was possible to restore all encrypted systems from backups and rapidly return to normal operations.

The attack occurred on December 10, 2020, and the subsequent investigation into the incident found no evidence of data theft and confirmed that the breach had been fully contained. However, Bansley and Kiener said in a December 3, 2021 data breach notification letter that the firm learned on May 24, 2021, that the attackers had exfiltrated some files from its systems, and those files contained sensitive client information.

A third-party cybersecurity firm was engaged to assist with the subsequent investigation and while it was not possible to confirm the specific types of information that had been accessed and exfiltrated, on August 24, 2021, the investigation confirmed the names and Social Security numbers of some individuals may have been obtained by the attackers.

Bansley and Kiener said the attack prompted a review of its security measures and they have since been strengthened to prevent further data breaches, and the workforce continues to be educated on cybersecurity best practices. Notification letters have now been sent to affected individuals with instructions on how to protect their personal information, including how to take advantage of the complimentary credit and identity theft monitoring services that have been offered.

It is not known how many individuals in total have had their names and Social Security numbers exposed, but the breach has been reported to the HHS’ Office for Civil Rights under four separate breach reports affecting a total of 70,941 individuals.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.