Mazars USA LLP, a certified public accounting firm, faced regulatory action by the New York Attorney General (NY AG) for failing to secure unencrypted sensitive personal data, including Social Security numbers, financial records, and tax documents of clients and employees. The breaches occurred due to inadequate cybersecurity measures, such as lack of encryption, weak access controls, and failure to monitor third-party vendors. While the article does not specify a direct data leak of customer information, the exposed data—if compromised—could enable identity theft, financial fraud, or reputational harm. The NY AG’s settlement required Mazars to pay $60,000 in penalties and implement stricter security protocols, including encryption, multi-factor authentication (MFA), and vendor risk assessments. The incident highlights vulnerabilities in handling highly sensitive financial and personal data, particularly in sectors like accounting where trust and confidentiality are critical. The breach did not result in confirmed theft but posed significant risks to employee and client privacy, warranting regulatory intervention.

On October 10, 2012, Accume Partners suffered a data breach due to a stolen laptop belonging to WeiserMazars, LLC, an affiliated third-party service provider. The incident was reported by the California Office of the Attorney General on December 10, 2012. The breach exposed sensitive personal information of plan participants, specifically names and Social Security numbers (SSNs). The compromised data belonged to individuals associated with Accume Partners’ retirement or benefit plans, raising concerns over potential identity theft, financial fraud, or misuse of the exposed SSNs. While the exact number of affected individuals was not specified in the report, the exposure of such highly sensitive information posed a significant risk to the privacy and financial security of the impacted participants. The breach stemmed from the physical theft of an unencrypted or inadequately secured device, highlighting vulnerabilities in data protection protocols involving third-party vendors.