MGO Ransomware Breach Exposes 1.2TB of Data

Mosley Glick O'Brien Inc. (MGO), a certified public accounting firm now based in Maumee, Ohio, disclosed a ransomware attack that may have exposed sensitive personal information belonging to certain clients and individuals. The company discovered the attack on Feb. 19, 2025, but its review of what data was affected took roughly one year to complete.

MGO issued a notification on March 16, 2026, alerting potentially impacted individuals. MGO has posted a notice on its website with details about the incident.

The total number of people affected has not been publicly disclosed.

How the ransomware attack unfolded

On Feb. 19, 2025, MGO discovered it had been hit by what it described as a "sophisticated ransomware attack," according to the company's notification. Upon discovery, MGO began working with its I.T. team and third-party forensic specialists to secure its network, restore its systems and investigate the full nature and scope of the incident.

The investigation determined that certain MGO data, kept in the normal course of business, may have been subject to unauthorized access during the attack. To understand exactly what information was involved, MGO launched a review process.

The review was completed on Feb. 24, 2026. Following the analysis, MGO determined that the affected data may have included both personally identifiable information (PII) and protected health information (PHI).

The PII that may have been exposed includes first and last names in combination with one or more of the following: Social Security numbers, driver's license or state identification numbers, dates of birth, financial account numbers, payment card numbers (with or without access information) and individual tax identification numbers.

The PHI that may have been exposed includes medical diagnosis or treatment information and health insurance information.

The ransomware group known as BianLian claimed responsibility for the attack. On a dark web site hosted on the Tor network, the group stated it had obtained 1.2 terabytes of MGO's data.

According to the posting, the stolen data includes the firm's financial records, client financial records, Quickbooks data, human resources data, business contracts and agreements, PII and PHI records, mailboxes and both internal and external email correspondence.

Steps to take if personal information was exposed

Place a credit freeze. A credit freeze prevents new credit accounts from being opened in a person's name. It is one of the most effective tools against identity theft. Individuals can contact each of the three major credit reporting agencies to place a freeze:

• TransUnion: 1-800-680-7289 or transunion.com (Credit Freeze, P.O. Box 160, Woodlyn, PA 19094)
• Experian: 1-888-397-3742 or experian.com (Credit Freeze, P.O. Box 9554, Allen, TX 75013)
• Equifax: 1-888-298-0045 or equifax.com (Credit Freeze, P.O. Box 105788, Atlanta, GA 30348-5788)

Set up fraud alerts. A fraud alert tells creditors to take extra steps to verify a person's identity before opening new accounts. Individuals can place a fraud alert by contacting any one of the three credit bureaus listed above. The alert will automatically be shared with the other two agencies.

Monitor credit reports. Free credit reports are available from each of the three bureaus once every 12 months. Individuals can request them at annualcreditreport.com or by calling 1-877-322-8228. Reviewing these reports regularly can help people spot accounts or inquiries they do not recognize.

Request an IRS Identity Protection PIN. Because Social Security numbers and individual tax identification numbers may have been exposed, affected individuals should strongly consider requesting an Identity Protection PIN from the IRS. This six-digit PIN helps prevent someone from filing a fraudulent tax return using a stolen Social Security number or tax ID.

Review financial accounts closely. Individuals should monitor their bank statements, credit card statements and other financial accounts for any unauthorized or suspicious activity. Any unusual transactions should be reported to the financial institution right away.

Watch for suspicious health insurance activity. Because medical diagnosis or treatment information and health insurance information may have been involved, affected individuals should review their Explanation of Benefits (EOB) statements for services or claims they did not authorize or receive. Medical identity theft can be harder to detect than financial fraud, so careful monitoring is important.

Be cautious of phishing attempts. Following a breach like this one, scammers may send emails, text messages or make phone calls that reference the Mosley Glick O'Brien data breach by name. These messages may try to trick people into sharing personal information or clicking harmful links. Individuals should be skeptical of any unsolicited communication asking for sensitive details, even if it appears to come from MGO or a government agency.

Report suspected identity theft. If anyone suspects their information has been misused, they can file a complaint with the Federal Trade Commission at identitytheft.gov or by calling 1-877-438-4338. The FTC can also be reached by mail at 600 Pennsylvania Ave. NW, Washington, D.C. 20580.