Kerkering, Barberio & Co. Data Breach Exposes Sensitive Info for 4,179 Individuals

Kerkering, Barberio & Co., a certified public accounting firm based in Sarasota, Florida, disclosed a data breach that affected 4,179 people in the United States. The firm reported the breach to state attorneys general in March 2026, nearly 10 months after first discovering the incident.

The company found the breach on May 27, 2025, according to its notification letters to consumers. It sent written notices to affected individuals on March 13, 2026.

The types of personal information exposed were extensive, ranging from Social Security numbers and bank account details to passport scans, medical information and login credentials. Keep reading for more details.

How the breach unfolded

On or around May 27, 2025, Kerkering discovered that an unauthorized person had gained access to four of the company's email accounts, according to the firm's notification letters. The firm isolated those email accounts and hired a third-party cybersecurity company to secure the accounts and investigate what happened.

The forensic investigation found evidence that some of the firm's files had been accessed by the unauthorized actor. Based on those findings, the company brought in a separate data mining vendor to review the affected data.

On March 6, 2026, the firm finalized its list of individuals to notify. That process took more than nine months from the date the breach was first discovered.

The breach affected three Maine residents, 21 Massachusetts residents and four New Hampshire residents, according to filings with those states' attorneys general.

According to the company's notification to consumers, the data that may have been accessed includes names, addresses, dates of birth, Social Security numbers, trust names and Social Security numbers, email addresses, home phone numbers, mobile phone numbers, bank account details, credit card numbers (including CVCs, expiration dates, credit card scans), driver's license numbers (scans, expiration dates), passport numbers (scans, expiration dates), login access info (username and password), medical reference numbers, private health member IDs, financial account information, health insurance information, medical information, biometric data, taxpayer identification numbers.

What Kerkering did in response

After discovering the breach, the firm disconnected all access to the impacted email accounts, changed administrative credentials, restored operations in a secure mode and enhanced its security measures. The company also stated it will continue to take steps to reduce the risk of future harm.

Kerkering hired the law firm Wilson Elser Moskowitz Edelman & Dicker LLP to handle the breach response and regulatory notifications. The company also engaged a third-party notification vendor to help with the process of alerting affected individuals.

The firm is offering all affected individuals 12 months of free credit monitoring and identity theft restoration services through Cyberscout, a TransUnion company. These services include single bureau credit monitoring, a single bureau credit report and a single bureau credit score.

The company set up a toll-free call center for people with questions. Affected individuals can call 1-833-297-3832, Monday through Friday, from 8 a.m. to 8 p.m. Eastern time, excluding national holidays.

Steps to take if your information was exposed

Freeze credit reports. With Social Security numbers exposed, placing a credit freeze with all three major credit bureaus is one of the most important steps. A credit freeze prevents new accounts from being opened in a person's name. It is free to place and lift. Contact each bureau separately:

• Experian: 1-888-397-3742 or www.experian.com/freeze/center.html
• Equifax: 1-888-298-0045 or www.equifax.com/personal/credit-report-services
• TransUnion: 1-800-916-8800 or www.transunion.com/credit-freeze

Place a fraud alert. A fraud alert tells lenders to verify a person's identity before extending new credit. It is free and lasts one year. Contacting one bureau is enough, as that bureau will notify the other two.

Request an IRS Identity Protection PIN. Because Social Security numbers and taxpayer identification numbers were exposed, tax-related identity theft is a real concern. The IRS allows any taxpayer to request an Identity Protection PIN, which prevents someone else from filing a tax return using their Social Security number.

Monitor bank and credit card accounts closely. With bank account details, credit card numbers, CVCs and expiration dates exposed, affected individuals should review their financial statements carefully for any unauthorized transactions.

Change passwords immediately. Anyone who used the same password for other accounts should change those passwords right away.

Watch for phishing attempts. Affected individuals should be cautious about emails, phone calls or texts that reference this breach or ask for additional personal details. Scammers sometimes use stolen data to craft convincing phishing messages.

Monitor health insurance statements. Affected individuals should review their Explanation of Benefits statements for any services they did not receive.

Check credit reports regularly. Everyone is entitled to free credit reports, which can be obtained at www.annualcreditreport.com or by calling 1-877-322-8228. Reviewing these reports can help people spot accounts or inquiries they do not recognize.

Report suspected identity theft. If anyone notices signs of identity theft, they should report it to local law enforcement and their state attorney general's office. They can also file a complaint with the Federal Trade Commission at www.identitytheft.gov or by calling 1-877-438-4338.