Over 16,600 Exposed in Hallisey & D’Agostino Breach as Lawyers Probe for Class Action

A data breach at accounting firm Hallisey & D’Agostino exposed personal data for 16,683 individuals, prompting a class action investigation.

Hallisey & D’Agostino, a public accounting firm based in Wethersfield, Connecticut, has confirmed a data breach impacting over 16,600 individuals. The incident involved unauthorized access to its network, potentially compromising sensitive personal information. Public accounting firms hold a significant volume of confidential client data, making them prime targets for cyberattacks.

The firm first detected unusual network activity on October 21, 2025. An internal investigation, supported by external cybersecurity experts, revealed an unauthorized actor maintained access to their network from September 28, 2025, through October 22, 2025. This prolonged access allowed the actor to potentially acquire files containing personal data.

A comprehensive review of the affected data concluded on March 19, 2026, confirming the scope of the exposure. Notifications were subsequently sent to all affected individuals on April 17, 2026. The breach impacted 16,683 people across the United States, including 74 individuals located in Maine.

The breach has drawn legal scrutiny, with law firm Shamis & Gentile P.A. initiating an investigation into the Hallisey & D’Agostino incident. This investigation aims to assess grounds for a potential class action lawsuit on behalf of affected individuals. Such legal actions frequently seek compensation for damages stemming from exposed personal data.

### What Defenders Should Do

Organizations, particularly those handling sensitive client data, must prioritize robust cybersecurity defenses. Implementing multi-factor authentication (MFA), regular security audits, and timely patching of known vulnerabilities are critical steps. MFA requires users to provide two or more verification factors to gain access to a resource, adding a crucial layer of security.

Continuous monitoring for unusual network activity can aid in early detection and limit potential "dwell time," which is the period an unauthorized actor remains undetected within a network. Employee training on phishing and social engineering tactics also forms a vital layer of defense against initial access vectors.

The outcome of the ongoing legal investigation will likely influence future breach disclosure practices and the liabilities faced by organizations managing sensitive client data.