Hallisey & D’Agostino Data Breach Exposes Sensitive Client Data of 16,683 People Class Action Investigation Underway

A Connecticut public accounting firm was hacked for nearly a month in fall 2025 — and the people whose tax records, financial files, and personal data were stolen didn’t find out until April 2026. Here’s everything you need to know.

Quick Case Snapshot

Field	Details
Organization	Hallisey & D’Agostino, LLP
Type	Full-service public accounting firm (CPA)
Headquarters	540 Silas Deane Highway, Wethersfield, Connecticut 06109
Founded	1972
Managing Partner	Nathaniel G. D’Agostino, CPA
Estimated Employees	~17
Breach Window	September 28, 2025 – October 22, 2025
Date Discovered	October 21, 2025
Data Review Completed	March 19, 2026
Notifications Sent	April 17, 2026
Total People Affected	16,683 (including 74 Maine residents)
Data Potentially Exposed	Personal and financial information (specific categories under investigation)
Lawsuit Status	Active class action investigation — pre-litigation phase
Current Status	Pre-litigation; no formal class action complaint confirmed yet filed

What Happened — The Core Facts

If you are a client or former client of Hallisey & D’Agostino, LLP — or if your employer used the firm to handle payroll, tax preparation, auditing, or financial advisory work — your most sensitive personal and financial information may have been accessed by cybercriminals between September and October 2025. You likely received your first notification about it in April 2026.

On October 21, 2025, Hallisey & D’Agostino, LLP identified unusual activity in its computer network. Immediate action was taken to secure the network, and an investigation was launched with the help of external cybersecurity experts. The investigation revealed that an unauthorized actor gained access to the firm’s network between September 28, 2025, and October 22, 2025, and may have acquired certain files, some of which contained personal information. After a comprehensive review of the affected data, completed on March 19, 2026, the firm determined that personal information may have been involved in the incident. Written notifications were sent to affected individuals on April 17, 2026. According to the disclosure, the breach affected 16,683 people in the United States, including 74 residents of Maine.

The hacker remained inside Hallisey & D’Agostino’s network for 24 days — from September 28 to October 22, 2025 — before the firm detected the intrusion. That is nearly a full month of unrestricted access to files containing client financial and personal data.

Who Is Hallisey & D’Agostino, LLP?

Hallisey & D’Agostino, LLP is a full-service public accounting firm offering a wide array of accounting, tax, and advisory services to individuals and small to mid-size closely-held businesses located throughout Connecticut and the surrounding areas. Since its formation in 1972, Hallisey & D’Agostino has established itself as one of the region’s premier accounting firms. Its clients operate in a variety of industries, including construction, manufacturing, real estate, professional and consumer services, and more.

The firm’s services include accounting and assurance, tax planning and compliance, IRS and state tax representation, trusts and estates, construction industry services, and business advisory.

Related article: GMO Trust Agrees to Pay $6.75 Million to Settle GYEN Stablecoin “Depeg” Lawsuit Claim Your Share Before June 5, 2026

This service profile is critical context for understanding the severity of this breach. CPA firms don’t just hold names and email addresses — they hold the full financial picture of every client they serve. A firm like Hallisey & D’Agostino routinely works with data including:

• Full Social Security numbers (required for all tax filings)
• Federal and state tax returns — including income, deductions, credits, and financial history
• Bank account and routing numbers
• Business financial statements and payroll records
• Trust and estate documents
• IRS correspondence and audit files
• Dates of birth and government identification numbers

This is, by definition, the most complete financial dossier a cybercriminal could obtain on any individual or business — assembled in one place by a firm the client explicitly trusted with their most sensitive information.

Why This Breach Is Uniquely Dangerous — The CPA Data Problem

Most data breaches involve one or two categories of sensitive information. An accounting firm breach is categorically different. When cybercriminals access a CPA firm’s network, they potentially gain access to multi-year tax histories, business financial records, payroll details, investment information, and identity documents for every client in the system — individuals, businesses, trusts, and estates alike.

A breach can result in loss of clients, damage to reputation, and lawsuits for negligence or failure to protect data. Chicago-based Legacy Professionals LLP had to notify 216,752 individuals after a 2024 hack and is already facing at least five class-action lawsuits over the exposed data.

A loss or compromise of client data may expose a CPA to claims for damages. A client or a third party can bring direct claims to cover costs associated with any damage caused by the breach, and cross-claims in the form of individual or class action lawsuits for indemnification against the firm for damages as a result of the data exposure.

The data an accounting firm holds enables criminals to:

• File fraudulent federal and state tax returns in a victim’s name to steal refunds
• Open new lines of credit using full identity profiles
• Impersonate business owners to commit wire fraud
• Access existing financial accounts using verified bank details
• Conduct synthetic identity fraud combining multiple stolen data elements

Tax identity theft is of particular concern here. Because Hallisey & D’Agostino prepares tax returns, the stolen files almost certainly include prior-year returns — giving criminals not just an identity, but a historically consistent financial profile that makes fraudulent filings harder for the IRS to flag.

The 24-Day Dwell Time — What It Means for Victims

The attacker had access to Hallisey & D’Agostino’s network for 24 consecutive days — from September 28 through October 22, 2025. In cybersecurity, “dwell time” refers to how long an attacker remains inside a network undetected. The longer the dwell time, the more comprehensive the data exfiltration typically is.

A 24-day dwell time is long enough for a sophisticated threat actor to:

• Map the entire network and identify all file storage locations
• Exfiltrate complete client databases without triggering alerts
• Access backup systems that may contain additional historical client data
• Install persistent backdoors for potential future access

The firm did not detect the intrusion until October 21 — one day before the attacker’s access window ended on October 22. This raises questions about what network monitoring capabilities were in place and whether earlier detection was possible.

The Nearly 6-Month Notification Gap

Hallisey & D’Agostino discovered the breach on October 21, 2025. Affected individuals were not notified until April 17, 2026 — approximately six months later.

The firm states that a comprehensive review of affected data was completed on March 19, 2026, and that notifications followed on April 17, 2026. The nearly one-month gap between completing the data review and issuing notifications may itself be subject to legal scrutiny.

Connecticut’s data breach notification law — Conn. Gen. Stat. § 36a-701b — requires notification to be made in the most expedient time possible and without unreasonable delay after discovery of the breach. The Connecticut Attorney General’s office received 1,830 breach notifications in 2025 and issued 63 warning letters regarding companies’ alleged delays in providing notice after discovery of a data breach. Connecticut regulators have demonstrated they are actively monitoring and enforcing notification timelines — a potentially significant development for Hallisey & D’Agostino’s regulatory exposure.

For Maine residents specifically — 74 of whom were affected — Maine’s data breach notification law requires notification within 30 days of discovering a breach. Whether this statutory deadline was met is a specific legal question investigators are evaluating.

What the Class Action Investigation Alleges

Law firms are now actively investigating potential class action claims on behalf of all 16,683 affected individuals. The core legal theories being evaluated include:

Negligence — Failure to Implement Adequate Cybersecurity

A 17-person accounting firm handling thousands of clients’ tax and financial records has an obligation to maintain security practices commensurate with the sensitivity of the data it holds. Investigators will examine whether Hallisey & D’Agostino maintained adequate: network monitoring and intrusion detection; data encryption; access controls and multi-factor authentication; employee cybersecurity training; and incident response planning.

Small-to-mid-sized firms are now the primary attack vector because they handle valuable business and individual financial data. Many CPA firms mistakenly believe they are too small to be targeted. The argument that size excuses inadequate security is one that courts have consistently rejected.

Negligence Per Se — FTC Safeguards Rule Violations

Accounting firms are “financial institutions” under the Gramm-Leach-Bliley Act (GLBA) and are subject to the FTC’s Safeguards Rule. This requires firms to develop and implement a comprehensive written information security program (WISP), conduct regular risk assessments, and maintain specific technical safeguards. If investigators establish that Hallisey & D’Agostino failed to meet these federal requirements, that failure may constitute negligence per se — liability established by the violation of the legal standard itself.

Breach of Fiduciary Duty and Professional Responsibility

The relationship between a CPA firm and its clients is one of professional trust. Clients share their most sensitive financial information with their accountant with an explicit expectation of confidentiality and security. Investigators are evaluating whether the breach constitutes a violation of the professional duties Hallisey & D’Agostino owed to its clients as a licensed accounting firm.

Breach of Contract

Client engagement agreements with accounting firms typically contain representations about data protection and confidentiality. If the firm’s actual security practices fell below what was promised — explicitly or implicitly — affected clients may have breach of contract claims.

Unjust Enrichment

Clients paid fees to Hallisey & D’Agostino with a reasonable expectation that the firm would maintain appropriate data security. Investigators may argue that the firm was unjustly enriched by those fees if it failed to deliver the standard of care that justified the professional relationship.

Damages Potentially Available to Victims

Affected individuals may be entitled to recover: costs of credit monitoring and identity theft protection services; financial losses from fraud traceable to the breach; out-of-pocket expenses incurred in responding to the breach; compensation for time spent mitigating the impact; emotional distress damages; and potentially punitive damages if the firm’s security failures are found to be sufficiently egregious.

Firm’s Response

Hallisey & D’Agostino, LLP has not issued a detailed public statement beyond the data breach notification letters sent to affected individuals on April 17, 2026. The firm has not publicly commented on the specific data categories involved, the nature of the cyberattack, whether a ransom demand was made or paid, or what specific security improvements are being implemented in response to the breach.

The notification letters confirm that the firm engaged external cybersecurity experts to investigate and completed a data review by March 19, 2026 — nearly five months after discovering the breach. Whether the firm is offering affected individuals any credit monitoring, identity theft protection, or other remediation services has not been publicly confirmed.

Legal Context: Why CPA Firm Breaches Are a Growing Litigation Crisis

The Accounting Sector Is Under Siege

Hallisey & D’Agostino is far from alone. CPA firms of all sizes have become prime ransomware targets in recent years, and the resulting litigation has been substantial:

Legacy Professionals LLP had to notify 216,752 individuals after a 2024 hack. The stolen data included Social Security numbers, driver’s license and state ID numbers, medical treatment information, and health insurance information. Several class action lawsuits have already been filed against the accountancy firm over the data breach.

Mercadien PC Certified Public Accountants reported a data breach discovered on November 7, 2025, with compromised information potentially including names, addresses, dates of birth, government ID numbers, Social Security numbers, financial account details, and for some individuals, usernames, passwords, IRS PIN numbers, and payment card information.

The FTC Safeguards Rule — What CPA Firms Must Do

Under the Gramm-Leach-Bliley Act’s Safeguards Rule — which applies fully to accounting firms — covered entities must: designate a qualified individual to oversee information security; conduct regular risk assessments; implement and maintain a comprehensive written information security program; encrypt customer data in transit and at rest; use multi-factor authentication; test and monitor systems regularly; and notify the FTC of qualifying breaches. Failure to maintain any of these requirements can expose a firm to both regulatory action and civil liability.

Connecticut’s Regulatory Environment

Connecticut has one of the more active data privacy enforcement environments in the country. The Connecticut Attorney General’s office received 1,830 breach notifications in 2025 and issued 63 warning letters regarding companies’ alleged delays in providing notice after discovery of a data breach. Given that Hallisey & D’Agostino is a Connecticut-based firm, it falls squarely within the enforcement jurisdiction of one of the nation’s more aggressive state privacy regulators.

Are You Affected? Five Steps to Take Right Now

Step 1 — Check Your Mail

Hallisey & D’Agostino sent written notifications to affected individuals on April 17, 2026. If you received a letter from the firm about a security incident, you are a confirmed affected individual.

Step 2 — Freeze Your Credit at All Three Bureaus

Immediately contact Equifax (equifax.com), Experian (experian.com), and TransUnion (transunion.com) to place a free security freeze. This prevents anyone from opening new credit accounts in your name without your authorization. This is the single most important protective step available to you.

Step 3 — Get an IRS Identity Protection PIN

Because Hallisey & D’Agostino is a tax preparation firm, your tax records are likely among the data at risk. Visit IRS.gov/ippin to request a free six-digit Identity Protection PIN. This PIN must be included on your federal tax return and prevents anyone else from filing using your Social Security number.

Step 4 — Monitor Financial Accounts Closely

Review all bank accounts, investment accounts, and credit card statements for unauthorized transactions. Set up transaction alerts where available. Given that the firm holds financial account details for many clients, direct account fraud is a real risk.

Step 5 — Contact a Data Breach Attorney for a Free Case Review

Law firms are actively investigating potential class action claims on behalf of affected individuals. Initial consultations are free, and data breach cases are handled on contingency — meaning no out-of-pocket cost to you unless compensation is recovered. Contact Shamis & Gentile P.A. or other data breach firms currently investigating this case.

Current Status & What Happens Next

The Hallisey & D’Agostino data breach case is breaking news — notifications only went out on April 17, 2026, just three days before the publication of this article. The litigation timeline from here typically follows this path:

Now — Investigation Phase: Law firms gather evidence about the breach, evaluate the firm’s pre-breach security practices against applicable legal standards, and identify the full scope of affected individuals and data types.

Coming Soon — Formal Complaint Filed: One or more formal class action lawsuits will likely be filed in Connecticut federal or state court in the weeks to months ahead, as investigators complete their assessment.

Motion to Dismiss: Hallisey & D’Agostino will almost certainly move to dismiss, likely arguing that plaintiffs cannot show concrete harm from the breach without demonstrated misuse of their data. Given recent appellate court trends — which have increasingly held that SSN and financial data exposure is itself a cognizable injury — this motion may face an uphill battle.

Discovery: The exchange of internal documents — including the firm’s cybersecurity policies, risk assessments, vendor contracts, and incident response communications — will be central to establishing the strength of the negligence case.

Class Certification → Settlement or Trial: Most CPA firm data breach cases resolve in settlement, though the timeline from filing to resolution can range from one to three years.

FAQs

Q: I’m a client of Hallisey & D’Agostino. What specific data of mine was exposed? 

 The firm has not publicly disclosed the specific categories of data involved in the breach. Given that it is a full-service CPA firm, the data at risk likely includes tax returns, Social Security numbers, financial account information, business records, and other sensitive files. Your notification letter may contain more specific information about what was accessed.

Q: I’m a business owner whose company used Hallisey & D’Agostino. Is my business data at risk too? 

 Potentially yes. The firm serves small to mid-size businesses across multiple industries including construction, manufacturing, and real estate. Business financial statements, payroll records, bank account information, and tax filings may all have been accessed. Both individual and business data claims are being investigated.

Q: How did this breach happen? 

The specific attack vector has not been publicly disclosed. The firm identified “unusual activity” on October 21, 2025, and determined that unauthorized access had occurred from September 28 through October 22. Whether the attack involved ransomware, phishing, credential theft, or another method has not been confirmed.

Q: Why did it take six months to notify people? 

 Hallisey & D’Agostino stated that a comprehensive data review was completed on March 19, 2026, before notifications were issued on April 17, 2026. The firm has not offered a public explanation for why the data review itself took nearly five months. This timeline is a central focus of the legal investigations.

Q: Is there already a class action lawsuit filed? 

As of publication date (April 20, 2026), the case is in the pre-litigation investigation phase. Notifications only went out three days ago. Formal complaints are expected to be filed in the coming weeks or months as investigators complete their assessment.

Q: What if I haven’t noticed any fraud yet? 

The absence of fraud so far does not mean you are safe or that you lack legal standing. Courts have increasingly recognized that the exposure of sensitive financial and personal data creates a credible risk of future harm sufficient to support legal claims, even before actual misuse occurs.

Q: What does it cost to join the investigation? 

 Nothing. Data breach law firms investigate on a contingency fee basis — meaning you pay no upfront costs, and attorneys only collect if compensation is recovered on your behalf.

Last Updated: April 20, 2026

This article is for informational purposes only and does not constitute legal advice. The Hallisey & D’Agostino data breach and all associated legal claims are currently under investigation. No class has been certified and no court has ruled on the merits of any claim. All allegations are unproven. Readers who believe they may be affected should consult a licensed attorney for advice specific to their situation.