CFGI Financial Advisory Firm Exposes 248K Contact Records in ShinyHunters Extortion Campaign
What Happened — In March 2026, ShinyHunters launched a “pay‑or‑leak” extortion campaign against CFGI, a financial consulting and advisory firm. The group published a dump containing 248,235 unique corporate contacts – email addresses, names, job titles, phone numbers and physical addresses.
Why It Matters for Compliance & Audit Readiness
- The incident is a textbook example of a privacy breach that SOC 2 CC 3 (Confidentiality) and GDPR/CCPA‑aligned controls are designed to prevent and evidence.
- Continuous evidence of consent management, data‑minimization, and DSAR readiness is essential to demonstrate due diligence during an audit.
- Verisq’s CookiePLUS capability provides the audit‑ready consent logs and automated DSAR workflows needed to close the gap exposed by this leak.
Who Is Affected – Financial services firms, their corporate clients, and any downstream partners that rely on CFGI’s contact data.
Recommended Actions – Map the exposed data elements to your privacy control inventory, verify that consent records exist for each data subject, implement continuous monitoring of data‑exposure alerts, and collect audit‑ready evidence of remediation. Source: Have I Been Pwned – CFGI breach
Technical Notes – Attack vector appears to be stolen credentials used to access internal contact databases; no public CVEs reported. Data types include PII (names, emails, phone numbers, addresses) and corporate identifiers. Source: same as above