The Chicago, Illinois-based accounting firm recently filed a data breach report with the Maine Attorney General.
What happened
Legacy Professionals filed a data breach notice with the Attorney General of Maine on or around February 27th, 2025.
According to their notice, Legacy learned of “potentially suspicious activity related to certain data stored on our computer network,” in late April 2024. After noticing the suspicious activity, the team worked to secure the network and investigate the incident. Legacy also received assistance from a third-party cybersecurity specialist.
The investigation concluded in November 2024 and determined that an unauthorized actor had accessed files. The team conducted a review, which was completed in early February and has now been followed by breach notices.
It’s believed that approximately 190,818 individuals were impacted, but Legacy has not yet confirmed the number with the Attorney General. Data varies per individual but generally includes name, Social Security numbers, and additional information.
Going deeper
Legacy Professionals is a public accounting firm specializing in audit, tax, and consulting services for labor organizations. The company generally assists with employee benefit plans, accounting for nonprofit organizations, and accounting for other businesses. Because of the work Legacy does, the company frequently handles sensitive data, including financial information, employment data, and other personal information.
While Legacy has not confirmed who conducted the attack, LockBit claimed the attack back in August 2024. LockBit, a Russia-based ransomware group, demanded Legacy pay a ransom within two weeks. Currently, it’s unknown if Legacy paid the ransom or attempted to negotiate. It’s unwise to pay ransoms, as that can provide these organizations a further incentive to attack organizations or target companies that have paid ransoms in the past.
The bottom line
Vendors are increasingly being targeted by malicious actors because they tend to hold vast amounts of data. Companies like Legacy Professionals work with many other companies, making successful attacks more fruitful.
Ultimately, organizations that work with vendors must determine if their cybersecurity measures are sufficient before agreeing to partner with them.
FAQs
How can vendors prevent cyberattacks?
Vendors should hold high cybersecurity standards for data. These organizations should also consider the regulations their partner companies are being held to. For instance, if working with healthcare organizations, vendors should also be HIPAA compliant if working with protected health information (PHI). Even if working with limited data, having high cybersecurity standards can still prevent costly and time-consuming breaches.
Why does it take so long for individuals to receive data breach notices?
Investigations into data breaches can be costly and time-consuming. At times, breach notices are also delayed if the vulnerability still exists within the network. Generally, healthcare organizations must provide notice to the Department of Health and Human Services (HHS) within 60 days, but delays occur frequently.
Abby Grifno
