Get Free Assessment
    Back to Case Studies
    ACCOUNTING FIRMDocumented Incident

    When Tax Season Becomes Open Season

    216,752PEOPLE EXPOSED
    LockBit 3.0RANSOMWARE GROUP
    Suburban ChicagoWHERE IT HAPPENED

    What Happened

    In April 2024, Legacy Professionals LLP, an accounting firm based in Westchester, Illinois, just outside Chicago, was breached by the LockBit 3.0 ransomware group. Over two days, the attackers moved through the firm’s network and quietly copied files before anyone noticed. Those files held names, Social Security numbers, driver’s license numbers, and medical and health insurance details for 216,752 people. That August, the criminals published the stolen data on the dark web. The firm did not finish notifying affected individuals until early 2025, and it now faces class-action lawsuits over the breach and the delay.

    Where It Went Wrong

    An accounting firm holds the keys to its clients’ financial lives, which is exactly why criminals target it. In this case, the attackers had time inside the network to find and remove sensitive files. There was no system watching for the unusual file activity that signals an attacker copying data, and the slow notification afterward turned a technical failure into a legal one.

    How Red Door Shield Stops This

    Keep what's valuable secure

    Endpoint detection and encrypted, isolated backups mean client tax records are locked down and recoverable, even if one device is compromised.

    Inspect what's coming in

    24/7 monitoring flags the anomalous file movement that signals data theft in progress, often within milliseconds, instead of months later.

    Trust through validation

    Audit-ready compliance evidence and a tested incident-response plan mean that if something does happen, notification is fast, documented, and defensible, not a five-month scramble.

    The Takeaway

    Antivirus would not have caught this. Continuous monitoring and a real response plan would have. The difference between a contained event and a class-action lawsuit is who is watching the network while the firm focuses on its clients.

    Documented source: HIPAA Journal — Legacy Professionals data breach

    Related Case Studies

    PROPERTY MANAGEMENT

    38 Gigabytes of Tenant Trust, Gone in a Day

    In December 2024, Tri County Property Management, based in Sandwich, Illinois, was breached, with attackers removing roughly 38 gigabytes of data from its systems. Property managers sit on exactly what criminals want: tenant Social Security numbers, bank account and payment records, lease files, and applicant background data. The same pattern played out at Income Property Management, where a single intrusion exposed driver’s licenses, Social Security numbers, dates of birth, medical details, and even passport numbers, and the firm did not notify affected people until more than a year later.

    CONSTRUCTION & CONTRACTING

    Four Invoices, $445,000, One Spoofed Vendor

    In 2024, attackers impersonated a vendor working on the Town of Arlington, Massachusetts high school building project. Using phishing, spoofed email, and a compromised account, they inserted themselves into the payment process and supplied new wiring instructions. Four monthly payments totaling $445,945 went to the criminals before the real vendor reported, in February, that it had never been paid. Investigators later found additional interception attempts on the same project totaling roughly $5 million. The town’s bank was able to recover just $3,308, about six percent of the loss.

    Don't wait to become a case study.

    Find out exactly where your security stands today with our comprehensive, zero-pressure risk assessment.

    Book Free Assessment