Oregon Data Breaches Rise in 2021; Oregon AG Settles with CPA Firm

October 7, 2021
• Posted in ,

In recognition of October’s Cybersecurity Awareness Month, Attorney General Rosenblum today released updated data showing an increase in data breaches reported to the Oregon Attorney General’s Office. For the first nine months of 2021, there have already been 131 breaches reported, as compared with 110 reported incidents in 2020. More incidents of ransomware attacks, or an attack that threatens to block access to your computer or software system, have also been reported. Most of these breaches happen online and involve businesses across all industries.

In September 2021, the Oregon DOJ for the first time also settled a data breach case involving an Oregon professional services firm. The $50,000 settlement with Gustafson & Company LLC, a Portland-based certified public accounting (CPA) firm, stems from a 2020 data breach that exposed the personal and financial information of 1,881 Oregonians.

“This month is a good reminder to do a ‘cyber security clean-up’,” said Attorney General Rosenblum. “Make sure your passwords are strong and the software on all of your devices is up to date. You should never click a link you are not familiar with, and watch for signs of somebody spoofing a boss, client, or other person in your network. Do not click on a link in an email or a text message if anything does not look —or feel— right.”

Data Breaches Reported to the Oregon DOJ:

2018: 109 reported breaches
2019: 99 reported breaches
2020: 110 reported breaches
2021: 131 (*as of September)

In 2015, Attorney General Rosenblum spearheaded updates to Oregon’s data breach laws, giving her office authority to enforce state penalties against violators. Since then, the DOJ has investigated and negotiated numerous settlements on behalf of Oreogn consumers, including a $2.8 million share of a 50-state settlement with consumer credit reporting giant Equifax, and a $10 million nationwide settlement against health insurer Premera Blue Cross. Last year, Oregon DOJ also settled with Burgerville for $150,000 and several significant changes to company operations to better protect information.

Gustafson Data Breach:

In January 2020, a scammer gained access to Gustafson’s computer network by posing as a client attempting to send a W-2 via a zip file. The malware was on the Gustafson network for approximately one week before it was identified and removed from the network. Even though the firm had a large volume of sensitive data about its clients, Gustafson allegedly failed to investigate the breach to determine whether any files had been accessed. Only in March 2020, after five more clients had fraudulent tax returns filed,  did Gustafson retain a forensic investigator to conduct a comprehensive investigation into the incident.

Gustafson did not notify Oregon residents of the breach until late May, 2020. Under Oregon law, a company should give notice of a breach of security in the most expeditious manner, but no more than 45 days after discovering the breach of security.

“CPAs have a duty to keep consumer data safe from unauthorized access,” said AG Rosenblum. “My office will continue to monitor and crack down on those who have access to Oregonians’ personal and financial information and who do not maintain the highest security standards.”  AG Rosenblum also thanked her team at the Oregon Department of Justice including Assistant Attorney General Kristen Hilton in the Consumer Protection Section.

In addition to the $50,000 settlement, Gustafson will develop and maintain several data security practices designed to strengthen its information security program and safeguard the personal information of consumers.

For more information on reporting a data breach to the Oregon Department of Justice visit: