A breach of a mid-sized accounting firm in Louisiana that impacted 127,431 of its customers offers some insight into how average businesses find reporting data breaches in a timely manner very challenging.
The July 2023 breach of Lafayette, Louisiana, accounting firm Wright, Moore, DeHart, Dupuis, and Hutchinson (WMDDH) was notable in that it took the 100-employee company and its investigators about 10 months to identify who the compromised information belonged to — and another two months to pinpoint the contact information of the people affected.
In a filing with the Attorney General’s Office in Maine, WMDDH outlined that the breach took place on June 29, 2023, but it wasn’t fully discovered until Sept. 10, 2024. A Sept. 19, 2024 letter to customers a little more than a week later added that it was actually on July 11, 2023, that the company first noticed some suspicious activity.
WMDDH told affected customers that that the information stolen included first and last names, Social Security numbers, driver’s license numbers, financial account numbers, passport numbers, and medical and treatment information. Per the standard practice in breach cases, WMDDH has provided affected customers one year of credit monitoring and identity theft services.
To be fair, the Securities and Exchange Commission (SEC) four-day reporting rule in the event of a material breach does not apply to WMDDH. Security pros also pointed out that small- and mid-sized businesses tend to not have the resources to conduct swift investigations.
“Prior to data theft forms of ransomware, it was more common for organizations, especially SMBs, to not notice breaches for months,” said John Bambenek, president of Bambenek Consulting. “Many organizations simply cannot afford to fully staff or equip their security teams. AI is very dangerous to use for this mostly because attackers already have decades more experience fooling automated systems.”
While thorough investigations take time, more than 10 months to identify affected individuals is concerning, said Stephen Kowski, Field CTO at SlashNext Email Security.
Kowski said companies should leverage automated data discovery and classification tools to maintain an accurate inventory of sensitive information, which allows for faster impact assessments when incidents occur, enabling quicker notifications to affected parties and regulators.
“Speeding up breach investigations requires a multi-faceted approach,” said Kowski. “Advanced AI-powered tools can significantly accelerate threat detection and data analysis, helping identify compromised information faster.
“Combining the latest AI technology with skilled personnel and streamlined processes can also help reduce investigation timelines and improve incident response.”
