H&N Tax, Inc. d/b/a CSA Tax (“CSA Tax”) recently disclosed a data breach involving unauthorized access to its network. The incident may have exposed sensitive personal information, including Social Security numbers. The breach was discovered in January 2026 following a hacking-related network disruption.
CSA Tax’s Data Breach Investigation
H&N Tax, Inc., doing business as CSA Tax, notified individuals of a cybersecurity incident involving unauthorized access to certain systems within its network. According to the company’s notice, the breach stemmed from an external system intrusion—commonly referred to as a hacking incident—that occurred on or around December 2, 2025.
The company first became aware of a network disruption impacting certain systems and immediately launched an internal response. CSA Tax reports that it engaged third-party computer forensic specialists to investigate the nature and scope of the event. This step is typically taken to determine how the intrusion occurred, whether data was accessed or exfiltrated, and what information may have been impacted.
The forensic investigation concluded that certain information stored on CSA Tax’s network was subject to unauthorized access for a limited period of time on December 2, 2025. While the company states that it has no evidence of actual misuse of the affected information, unauthorized access to sensitive data—especially Social Security numbers—can significantly increase the risk of identity theft and fraud.
After identifying the unauthorized access, CSA Tax initiated a comprehensive and time-intensive review of the potentially impacted data. This process involved determining what types of information were contained within the affected systems and identifying the individuals to whom the data related. The review was completed on January 22, 2026, which is also the date the breach was officially discovered and confirmed.
Following completion of its investigation and data review, CSA Tax began notifying impacted individuals as soon as possible. The company has stated that it took steps to secure its environment immediately after detecting the disruption and has since implemented additional technical safeguards to strengthen its data security posture. These measures are intended to prevent similar incidents from occurring in the future.
CSA Tax is also offering complimentary credit monitoring and identity protection services to affected individuals. Due to privacy regulations, individuals must enroll themselves in these services. Credit monitoring may provide alerts regarding suspicious activity, but it does not prevent identity theft from occurring.
Data breaches involving tax preparation firms are particularly concerning because such organizations often store highly sensitive financial and personal information. Social Security numbers, in particular, are valuable targets for cybercriminals, as they can be used to open fraudulent accounts, file false tax returns, or commit other forms of identity fraud.
Although the total number of individuals affected has not been disclosed, 38 Maine residents were reportedly impacted by the breach. Even when a relatively small number of residents are affected, the risks associated with exposed Social Security numbers remain serious and long-lasting.
At Class Action U, we believe consumers deserve transparency and accountability when companies entrusted with sensitive financial data experience cybersecurity failures. When businesses collect and store personal information, they assume a responsibility to safeguard it using reasonable and effective security measures. If that duty is breached, impacted individuals may have legal options available to them.
Understanding what happened and what rights you may have is the first step toward protecting yourself. If you received a notification from CSA Tax, it is important to review the details carefully and consider whether additional action may be necessary.
When Did This Breach Occur?
According to the company’s disclosure:
-
Date(s) the Breach Occurred: December 2, 2025
-
Date the Breach Was Discovered: January 22, 2026
The unauthorized access to CSA Tax’s systems occurred on or around December 2, 2025. The company completed its investigation and determined the scope of affected data on January 22, 2026.
What Information Was Breached?
CSA Tax reports that the potentially affected information may have included:
-
First and last name
-
Social Security number
The exposure of Social Security numbers is particularly serious because this information can be used to commit identity theft, open fraudulent accounts, and file false tax returns.
What You Can Do
If you received a data breach notification from CSA Tax, taking immediate steps to protect yourself can help reduce the risk of identity theft and financial harm.
Consider the following actions:
-
Enroll in the complimentary credit monitoring and identity protection services offered by CSA Tax.
-
Monitor your credit reports for suspicious activity by obtaining free reports from the major credit bureaus.
-
Place a fraud alert or credit freeze on your credit file to prevent unauthorized accounts from being opened in your name.
-
Watch for signs of tax-related fraud, such as notices from the IRS about duplicate filings.
-
Keep detailed records of any unusual activity, communications, or financial losses.
You do not have to navigate this situation alone. Data breaches can have lasting consequences, and many individuals do not realize they may be entitled to compensation. Exploring your legal rights can help you understand whether you qualify to join a class action lawsuit. When consumers band together, they can hold companies accountable for failing to adequately protect sensitive data.
File a Data Breach Lawsuit Against CSA Tax
If you received a notification letter from H&N Tax, Inc. d/b/a CSA Tax informing you that your Social Security number or other personal information may have been exposed, you may be eligible to participate in a data breach lawsuit.
Class action lawsuits allow individuals affected by the same incident to unite in seeking accountability and potential compensation. This can include recovery for out-of-pocket expenses, time spent addressing fraud, identity theft losses, and other damages related to the breach.
Many people do not realize they may qualify to join a lawsuit after a data breach. Learning your rights is the first step toward protecting yourself and potentially recovering compensation. By taking action, you help send a message that companies must prioritize data security and consumer protection.
Contact us at Class Action U, where we’ll connect you with a lawyer skilled in class action lawsuits. If you’ve been contacted about this breach, received notice, or discovered you were impacted, fill out our quick, easy, and secure form to sign up. There is no cost to reach out to our legal partner and no obligation after speaking with someone from our team
