Almeida Law Group is investigating a data breach at Sprague and Jackson. The breach occurred on September 22, 2025 and was discovered on September 22, 2025. If you were affected, contact Almeida Law Group.
About Sprague and Jackson
Sprague & Jackson is a full-service accounting firm based at 121 E. Seneca St. in Ithaca, New York. The firm provides tax preparation, bookkeeping, payroll services, estate planning, financial consulting, and IRS/NYS representation, and has served the Tompkins County community for years. As an accounting firm, it routinely handles sensitive financial and tax-related information for its clients, making the security of its systems particularly important.
What Happened?
Sprague and Jackson was listed in a Maine Attorney General filing on May 26, 2026, in connection with a data breach described as an external system breach (hacking). The breach occurred and was discovered on September 22, 2025, but consumer notification was not sent until May 26, 2026—approximately eight months later. The filing did not disclose the total number of persons affected, and the specific types of information compromised were not specified. Sprague and Jackson offered affected individuals 12 months of credit monitoring and identity protection through TransUnion.
The Qilin ransomware group publicly claimed responsibility for an attack on Sprague & Jackson on October 16, 2025, with an estimated attack date of October 15, 2025—a timeline that does not precisely align with the September 22 breach date in the Maine filing, potentially reflecting different phases of the intrusion. Qilin operates a double-extortion ransomware-as-a-service model and threatened to release approximately 49 GB of exfiltrated data unless negotiations were initiated. Outside counsel from Clark Hill submitted the Maine filing on behalf of the firm.
Key Facts at a Glance
- Company or Organization: Sprague and Jackson
- Industry: Accounting Services / Financial Services
- Location: Ithaca, NY
- Incident type: External system breach (hacking) / Ransomware (Qilin)
- Date of breach: September 22, 2025
- Date breach discovered: September 22, 2025
- Date of consumer notification: May 26, 2026
- Identity theft protection offered: Yes — TransUnion credit monitoring and identity protection, 12 months
- Source: Maine Attorney General filing; BreachSense; DeXpose
What Should You Do?
If you received a breach notification from Sprague and Jackson, enroll in the complimentary 12-month TransUnion credit monitoring and identity protection service as soon as possible, paying close attention to any enrollment deadline in your notification letter. Consider placing a fraud alert or credit freeze on your credit files with all three major bureaus (Equifax, Experian, and TransUnion) to help prevent unauthorized accounts from being opened in your name. Monitor your bank accounts, credit card statements, and credit reports closely for any unfamiliar activity. You are entitled to free credit reports at AnnualCreditReport.com. If you discover signs of identity theft, report it at IdentityTheft.gov, which provides step-by-step recovery plans.
Your Legal Rights
If your personal information was involved in this breach, you may have legal rights depending on the facts of the incident and the law in your state. Almeida Law Group represents consumers in data breach and privacy litigation and can help you evaluate whether you may have a claim. Contact us at (708) 529-5418 or through our contact page for a free case evaluation.
