Sax LLP, a top-ranked U.S. accounting and advisory firm, has begun notifying more than 220,000 individuals that their sensitive personal data was compromised in a cyberattack detected in mid-2024 but disclosed over 16 months later.

According to regulatory filings, attackers accessed Sax’s network in late July 2024 and exfiltrated files containing highly sensitive personal information. While the company is now offering credit monitoring services, the prolonged delay significantly limits the effectiveness of post-breach protections.

The incident highlights ongoing concerns around breach detection timelines, disclosure delays, and real-world harm to affected individuals.

Professional services firms are increasingly targeted due to the volume and sensitivity of data they handle.

Accounting firms, in particular, store tax records, identity documents, and financial details that are highly valuable on criminal markets. Despite this risk, many such firms lack the same level of security maturity expected in regulated financial institutions.

Delayed breach disclosures continue to be a systemic issue, often undermining consumer protections intended to reduce downstream harm.

In a filing with the Maine Attorney General’s Office, Sax disclosed that it detected suspicious activity on its network on August 7, 2024.

Subsequent investigation determined that attackers likely gained access in late July 2024 and remained long enough to obtain files affecting 228,876 individuals. However, Sax did not complete its investigation or begin notifying impacted individuals until more than a year later.

The firm, which reports over $100 million in annual revenue, has not publicly attributed the breach to a specific threat actor.

While Sax has not released detailed technical indicators, the breach involved unauthorized network access followed by data exfiltration.

The compromised data varies by individual and may include:

No known ransomware group has publicly claimed responsibility. This suggests either a financially motivated intrusion without a public leak strategy, or a potential private extortion scenario where disclosure was avoided.

In either case, the absence of transparency limits external validation and risk assessment.

The scope and sensitivity of the exposed data create long-term identity theft risks.

Personal identifiers such as SSNs and passport numbers cannot be rotated, meaning victims face prolonged exposure even years after the breach. While Sax is offering 12 months of credit monitoring and identity protection services, such measures are most effective immediately after data theft.

Criminal marketplaces typically monetize stolen personal data within weeks or months, rendering delayed protections largely reactive rather than preventative.

This breach underscores the consequences of extended disclosure delays.

Timely notification is critical for enabling individuals to freeze credit, monitor accounts, and reduce fraud risk. When disclosures occur more than a year after compromise, those safeguards lose much of their practical value.

The case also raises broader questions about breach reporting accountability and whether current regulatory frameworks adequately incentivize rapid disclosure.

No public attribution has been made by ransomware groups, and outlets such as SecurityWeek report no known leak site activity tied to the incident.

This ambiguity reinforces the reality that not all breaches are noisy or publicly visible—and that silent data theft can be just as damaging as headline-grabbing ransomware attacks.