To All Clients, Past and Present,[i]
We are writing to inform you of a recent security incident at Shafran & Rock, pllc. This notification is sent pursuant to the New York State Information and Security Breach and Notification Act (General Business Law Section 899-aa or State Technology Law Section 208).
On May 15, 2020, our computer system was hacked by a ransomware virus known as REvil-Sodinokibi. The perpetrators penetrated the security, most likely by an email with the virus attached. The virus activated and encrypted our data files, attaching a ransom demand. The demand offers to remove the encryption for bitcoin payment transacted over the dark web. There is no evidence or threat that any client data was stolen or downloaded, although we cannot determine this with absolute certainty. The ransom demand makes no mention of having taken any data, only encryption. The data Shafran & Rock, pllc would have are medical records and, on a limited and small number of clients, a social security number and/or driver’s license number. We have never collected credit card numbers or any financial data.
We have reported this illegal intrusion to the New York State Office of the Attorney General, the New York State Division of State Police, and the Department of State’s Division of Consumer Protection. To prevent this from ever happening again, we have upgraded our internet security to state-of-the-art protection with 24-hour systems monitoring.
To protect yourself from the possibility of identity theft, we recommend that you place a fraud alert on your credit files. A fraud alert conveys a special message to anyone requesting your credit report that you suspect you were a victim of fraud. When you or someone else attempts to open a credit account in your name, the lender should take measures to verify that you have authorized the request. A fraud alert should not stop you from using your existing credit cards or other accounts, but it may slow down your ability to get new credit. An initial fraud alert is valid for ninety (90) days. To place a fraud alert on your credit reports, contact one of the three major credit reporting agencies at the appropriate number listed below or via their website. One agency will notify the other two on your behalf. You will then receive letters from the agencies with instructions on how to obtain a free copy of your credit report from each.
New York residents can also consider placing a Security Freeze on their credit reports. A Security Freeze prevents most potential creditors from viewing your credit reports and therefore, further restricts the opening of unauthorized accounts. For more information on placing a security freeze on your credit reports, please go to the New York Department of State Division of Consumer Protection website at http://www.dos.ny.gov/consumerprotection.
When you receive a credit report from each agency, review the reports carefully. Look for accounts you did not open, inquiries from creditors that you did not initiate, and confirm that your personal information, such as home address and Social Security number, is accurate. If you see anything you do not understand or recognize, call the credit reporting agency at the telephone number on the report. You should also call your local police department and file a report of identity theft. Get and keep a copy of the police report because you may need to give copies to creditors to clear up your records or to access transaction records.
Even if you do not find signs of fraud on your credit reports, we recommend that you remain vigilant in reviewing your credit reports from the three major credit reporting agencies. You may obtain a free copy of your credit report once every 12 months by visiting www.annualcreditreport.com, calling toll-free 877-322-8228 or by completing an Annual Credit Request Form at: www.ftc.gov/bcp/menus/consumer/credit/rights.shtm and mailing to:
Annual Credit Report Request Service,
P.O. Box 1025281
Atlanta, GA 30348-5283
For more information on identity theft, you can visit the following websites:
NYS Dept. of State Div. of Consumer Protection: http://www.dos.ny.gov/consumerprotection
NYS Attorney General: http://www.ag.ny.gov/home.html
Federal Trade Commission: www.ftc.gov/bcp/edu/microsites/idtheft/
We are sorry to bring you this news, but it is important that you know of this breach. Even though the information was limited and applies to only a few clients, we cannot identify whose information may be affected. We are, therefore, advising all existing and prior clients to be extra vigilant.
If there is anything Shafran & Rock, pllc can do to further assist you, please call us at (845) 383-1170.
Shafran & Rock, pllc
[i] We are publishing this letter for all clients while we work to contact you individually. Among the data that has become unrecoverable are client names, addresses, phone number and emails, therefore, the we are doing this until we’ve completed our contact information.