Young & Company, LLC (“Young & Co.”) recently disclosed a cybersecurity incident involving unauthorized access to employee email accounts that may have exposed sensitive personal information. According to the company, unauthorized individuals accessed certain email accounts for several months in 2025. Although Young & Co. states it is not aware of misuse of the affected information, impacted individuals are being offered complimentary credit monitoring services through IDX.
Young & Company, LLC’s Data Breach Investigation
According to the notice submitted to Maine regulators, Young & Company was alerted to unusual activity involving an employee email account and promptly launched an investigation into the matter. The investigation determined that an unauthorized individual gained access to certain employee email accounts between February 24, 2025, and May 22, 2025.
Following discovery of the unauthorized access, Young & Co. undertook a review of the data contained within the impacted email accounts to determine whether personal information may have been involved and identify the individuals connected to the information. The company also retained a third-party vendor to conduct an advanced search and confirm address information to ensure the accuracy of notifications sent to affected individuals.
That review process concluded on or around March 31, 2026. According to the company, the information involved varied by individual but may have included names and Social Security numbers.
Exposure of Social Security numbers can create ongoing risks involving identity theft, fraudulent account openings, tax fraud, and other forms of financial misuse. Although the company stated that the information varied between affected individuals, the compromise of employee email accounts can also increase the risk of phishing attacks and unauthorized access to additional sensitive information.
Young & Co. stated that it moved quickly to respond to the incident by securing the affected email accounts, assessing the security of its email environment, notifying law enforcement and relevant regulatory authorities, and reviewing and enhancing existing security policies and procedures.
The company also began providing complimentary credit monitoring services through IDX for a period of 12 months to individuals whose information may have been affected.
When Did This Breach Occur?
The unauthorized access reportedly occurred between February 24, 2025, and May 22, 2025.
Young & Co. completed its review of affected data on or around March 31, 2026. Written notification letters were sent to affected individuals beginning on or about May 11, 2026.
What Information Was Breached?
According to Young & Company, the potentially exposed information may have included:
- Names
- Social Security numbers
The company stated that the information involved varied by individual. Exposure of this type of information can increase the risk of identity theft and financial fraud.
What You Can Do
If you received a notice from Young & Company regarding this incident, there are several important steps you can take to help protect your information:
- Enroll in the complimentary 12 months of credit monitoring services offered through IDX.
- Monitor your financial accounts and credit reports closely for suspicious activity.
- Consider placing a fraud alert or security freeze with Equifax, Experian, and TransUnion.
- Obtain free annual credit reports through AnnualCreditReport.com.
- Remain cautious of phishing emails, phone calls, or text messages requesting sensitive information.
- Promptly report suspicious activity to your financial institutions, law enforcement authorities, or the Federal Trade Commission.
- Keep copies of all communications related to the incident for your records.
Young & Co. also encouraged affected individuals to remain vigilant against identity theft by reviewing account statements and monitoring free credit reports regularly.
File a Data Breach Lawsuit Against Young & Company, LLC
Individuals affected by the Young & Company data breach may have legal rights and could qualify to pursue compensation related to the exposure of their sensitive personal information. Data breach lawsuits may seek compensation for identity theft risks, financial losses, out-of-pocket expenses, time spent responding to fraud concerns, and loss of privacy.
Organizations that collect and store Social Security numbers and other sensitive personal information are expected to maintain reasonable cybersecurity safeguards to protect that data from unauthorized access. When those safeguards fail, affected individuals may face long-term financial and privacy risks.
Contact us at Class Action U, where we’ll connect you with a lawyer skilled in class action lawsuits. If you’ve been contacted about this breach, received notice, or discovered you were impacted, fill out our quick, easy, and secure form to sign up. There is no cost to reach out to our legal partner and no obligation after speaking with someone from our team.
