Optima Tax Relief was hit by a ransomware attack by Chaos group threat actors who are now leaking 69 GB of data stolen from the company. Bleeping Computer has details:
Today, the Chaos ransomware gang added Optima Tax Relief to its data leak site, claiming to have stolen 69 GB of data.
This data contains what appears to be corporate data and customer case files. Tax documents commonly contain sensitive personal information, such as Social Security numbers, phone numbers, and home addresses, which can be used for malicious activity by other threat actors or identity theft.
Sources with knowledge of the attack told BleepingComputer that this was a double-extortion attack, with the threat actors not only stealing data from the company but also encrypting servers.
Ensar Seker, CISO at SOCRadar:
“The Optima Tax Relief breach underscores the growing interest of ransomware groups like Chaos in targeting high-trust financial service providers that handle sensitive personal data. This isn’t just a business disruption issue, it’s a national identity risk.
Tax resolution firms like Optima are rich targets because they aggregate the full spectrum of personally identifiable information (PII): Social Security numbers, tax documents, financial disclosures, and often even power-of-attorney authorization records. When exfiltrated, this data doesn’t just enable identity theft, it fuels secondary fraud operations for years.
“The fact that this was a double-extortion attack, involving both encryption and data theft, is unfortunately now the standard playbook. What’s more concerning is that Chaos ransomware has only recently emerged, yet already demonstrates the operational maturity of a seasoned group. Their ability to launch effective attacks and publicize breaches so quickly suggests they’re leveraging pre-existing access-as-a-service networks or recycled stealer logs for rapid compromise.
“From a defender’s standpoint, this is a call to action: Organizations that handle financial or tax data need to treat endpoint telemetry, privileged access management, and data exfiltration detection as minimum baselines. And more broadly, this reinforces the importance of having not only an incident response plan but a breach communications plan tailored for sensitive customer-impact scenarios.”
Erich Kron, Security Awareness Advocate at KnowBe4:
“The Chaos ransomware group is fairly new on the scene but has claimed a few victims already. This victim is an interesting one due to the significant amount and types of data that were collected and likely stolen. The customers will have provided not only Social Security numbers and other personal information, but also a lot of personal and sensitive financial information that may be embarrassing and that they may not want to be made public. The type of information stolen could also be used by social engineers to convince victims that they are from Optima and may lead to future scams and financial losses.
“The specific attack vector has not been released, but generally speaking, ransomware is most often spread through attacks on the humans within organizations, such as email phishing, vishing, or smishing. For this reason it is very important for organizations to have a robust and well-planned human risk management (HRM) program in place.”
This is an attack that will not end well. Not for Optima, and not for their customers. Expect this hack to reverberate for months or longer.
Like this:
Like Loading...
Related
This entry was posted on June 9, 2025 at 3:23 pm and is filed under Commentary with tags Hacked. You can follow any responses to this entry through the RSS 2.0 feed.
You can leave a response, or trackback from your own site.
Optima Tax Relief Pwned By The Chaos Group
Optima Tax Relief was hit by a ransomware attack by Chaos group threat actors who are now leaking 69 GB of data stolen from the company. Bleeping Computer has details:
Today, the Chaos ransomware gang added Optima Tax Relief to its data leak site, claiming to have stolen 69 GB of data.
This data contains what appears to be corporate data and customer case files. Tax documents commonly contain sensitive personal information, such as Social Security numbers, phone numbers, and home addresses, which can be used for malicious activity by other threat actors or identity theft.
Sources with knowledge of the attack told BleepingComputer that this was a double-extortion attack, with the threat actors not only stealing data from the company but also encrypting servers.
Ensar Seker, CISO at SOCRadar:
“The Optima Tax Relief breach underscores the growing interest of ransomware groups like Chaos in targeting high-trust financial service providers that handle sensitive personal data. This isn’t just a business disruption issue, it’s a national identity risk.
Tax resolution firms like Optima are rich targets because they aggregate the full spectrum of personally identifiable information (PII): Social Security numbers, tax documents, financial disclosures, and often even power-of-attorney authorization records. When exfiltrated, this data doesn’t just enable identity theft, it fuels secondary fraud operations for years.
“The fact that this was a double-extortion attack, involving both encryption and data theft, is unfortunately now the standard playbook. What’s more concerning is that Chaos ransomware has only recently emerged, yet already demonstrates the operational maturity of a seasoned group. Their ability to launch effective attacks and publicize breaches so quickly suggests they’re leveraging pre-existing access-as-a-service networks or recycled stealer logs for rapid compromise.
“From a defender’s standpoint, this is a call to action: Organizations that handle financial or tax data need to treat endpoint telemetry, privileged access management, and data exfiltration detection as minimum baselines. And more broadly, this reinforces the importance of having not only an incident response plan but a breach communications plan tailored for sensitive customer-impact scenarios.”
Erich Kron, Security Awareness Advocate at KnowBe4:
“The Chaos ransomware group is fairly new on the scene but has claimed a few victims already. This victim is an interesting one due to the significant amount and types of data that were collected and likely stolen. The customers will have provided not only Social Security numbers and other personal information, but also a lot of personal and sensitive financial information that may be embarrassing and that they may not want to be made public. The type of information stolen could also be used by social engineers to convince victims that they are from Optima and may lead to future scams and financial losses.
“The specific attack vector has not been released, but generally speaking, ransomware is most often spread through attacks on the humans within organizations, such as email phishing, vishing, or smishing. For this reason it is very important for organizations to have a robust and well-planned human risk management (HRM) program in place.”
This is an attack that will not end well. Not for Optima, and not for their customers. Expect this hack to reverberate for months or longer.
Share this:
Like this:
Related
This entry was posted on June 9, 2025 at 3:23 pm and is filed under Commentary with tags Hacked. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.