FinSecLedger
Breach Analysis10 min read

Donaghy Sales Email Compromise Exposes Employee Data

Donaghy Sales LLC disclosed a business email compromise after an attacker accessed a corporate email account for two days in July 2025, exposing personal information.

By FinSecLedger

Business Email Compromise at Donaghy Sales LLC - 143 Days to Notify

Donaghy Sales LLC, a wholesale food and beverage distributor headquartered in Fresno, California, disclosed a data breach with the California Attorney General after an unknown actor gained unauthorized access to a single corporate email account between July 22 and July 23, 2025. The company did not determine that personal information was involved until December 4, 2025, and notification letters were dated December 12, 2025 -- 143 days after the initial compromise.

The breach is a textbook business email compromise (BEC) incident. A single email account was infiltrated, files within the account were potentially acquired, and some of those files contained personal information. The company has not disclosed how many individuals were affected, what specific data elements were exposed, or how the attacker gained access. The notification letter uses a templated placeholder for data elements, indicating that different individuals had different categories of information at risk.

Donaghy Sales operates outside the financial services sector -- it distributes food and beverage products across Central California. But corporate email accounts at companies of any size routinely contain financial data: direct deposit forms, tax documents, payroll records, vendor payment details, and benefits enrollment information. When a BEC attack compromises an email account, the attacker inherits access to whatever financial information passed through that inbox.

Timeline of Events

The notification letter establishes a timeline with significant gaps between each phase.

  • July 22-23, 2025: An unknown actor gains unauthorized access to Donaghy Sales' email environment. The company later describes this as "unusual activity within a single corporate email account."
  • July 22, 2025: The California AG filing lists this date as the disclosure date, though the context suggests this is when the incident occurred, not when it was reported.
  • December 4, 2025: Donaghy Sales completes its investigation and determines that files potentially acquired by the attacker "may have contained personal information." This is 135 days after the initial compromise.
  • December 12, 2025: Notification letters are mailed to affected individuals, 8 days after the PII determination and 143 days after the breach.

The 135-day gap between the incident and the determination that personal information was involved is the most notable element of this timeline. Two scenarios explain it. First, the company may not have detected the compromise until well after July 23 -- meaning the intrusion sat unnoticed for weeks or months before the investigation even began. Second, the forensic review of email contents may have required extensive manual analysis to identify which files contained PII and which individuals were affected.

Either scenario raises concerns. If Donaghy Sales lacked the monitoring to detect unauthorized email access for months, that is a fundamental gap in security visibility. If they detected it promptly but took 135 days to determine what was in the compromised account, that points to an email environment with poor data classification and no content-level controls.

What Data Was Exposed

The notification letter does not specify the data elements exposed. The template reads "<<Data Elements>>," indicating that each affected individual receives a customized list of their compromised information categories. This personalization is standard practice when a breach involves heterogeneous data -- the email account likely contained a mix of documents with varying PII types rather than a single structured database.

Based on the remediation offered -- IDX identity protection with credit monitoring, CyberScan dark web monitoring, a $1,000,000 insurance reimbursement policy, and fully managed identity theft recovery -- the exposed data almost certainly includes Social Security numbers or financial account numbers. Companies do not offer $1 million insurance policies and 12- to 24-month monitoring subscriptions for name-and-email-only exposures. The scope of the IDX package signals that high-sensitivity data was at risk.

For a wholesale distributor, the corporate email account of an HR, finance, or operations employee would contain some combination of: employee W-2s and tax forms, direct deposit authorization forms with bank routing and account numbers, benefits enrollment documents with SSNs, vendor payment records, and customer invoicing data. The compromised account's role within the organization determines the specific mix, but any of these document types would justify the level of remediation Donaghy Sales is providing.

How Business Email Compromise Works

BEC is the most financially damaging category of cybercrime tracked by the FBI's Internet Crime Complaint Center (IC3). The IC3's 2024 annual report documented over $2.9 billion in losses from BEC attacks alone -- more than any other cybercrime category. The attack typically follows one of several patterns: credential phishing that captures the victim's email login, brute-force or password-spray attacks against email accounts with weak or reused passwords, or exploitation of session tokens through adversary-in-the-middle phishing kits.

Once inside the email account, the attacker can read existing messages, search for sensitive attachments, set up forwarding rules to maintain access even after a password change, and impersonate the account holder to request wire transfers, payroll changes, or vendor payment redirections. The two-day access window at Donaghy Sales (July 22-23) is consistent with a targeted data theft operation -- the attacker accessed the account, searched for and downloaded files of interest, and moved on.

The Verizon 2025 Data Breach Investigations Report consistently identifies email compromise as one of the primary vectors for data breaches, with social engineering and credential theft driving the majority of incidents. For small and mid-size companies without dedicated security operations centers, email account compromises frequently go undetected for days or weeks because the attacker's activity -- logging in, reading messages, downloading attachments -- mimics legitimate user behavior.

Vendor Risk Implications for Financial Partners

Donaghy Sales is classified as a vendor in our breach tracker because companies in the food and beverage distribution chain maintain financial relationships with banks, payment processors, and commercial lenders that depend on the confidentiality of shared financial data. A compromised email account at a distributor can expose bank account details for electronic payments, credit application information shared with lenders, or tax documentation exchanged with financial partners.

This is not a hypothetical concern. The email account that was compromised may have contained wire transfer instructions, ACH payment details, or financial statements shared with banking partners. If any of that information was exfiltrated, the risk extends beyond Donaghy Sales' employees to its financial counterparties.

The pattern mirrors what we documented in the Bayou Media Development breach, where a vendor's compromised infrastructure exposed client data that the clients' own customers never expected a third party to hold. It also parallels the Edelman Financial Engines incident, where unauthorized access to a system -- detected the same day -- still resulted in the exposure of sensitive personal and financial data for thousands of individuals.

Across our breach tracker, email compromise and unauthorized access incidents at vendors continue to represent a persistent category. The Corban OneSource breach exposed 1,593 SSNs after a network intrusion at the payroll vendor. The Byzfunder breach compromised 1,719 records through unauthorized access to a cloud platform. Each incident reinforces the same principle: the security posture of your vendors directly determines the security of your data.

The Notification Gap Problem

The 143-day notification timeline at Donaghy Sales is not unusual -- it falls within the range observed across many breaches in our database -- but that does not make it acceptable. For BEC incidents specifically, the delay creates compounding harm.

During those 143 days, compromised personal information could have been sold on dark web marketplaces, used to file fraudulent tax returns (the breach occurred in July, giving an attacker months before the following tax season), or leveraged to conduct secondary attacks such as phishing campaigns impersonating the victims. Every day between breach and notification is a day the affected individual cannot take protective action because they do not know they are at risk.

California's breach notification statute (Cal. Civ. Code Section 1798.82) requires notification "in the most expedient time possible and without unreasonable delay." The law provides no specific day count, leaving "reasonable" to interpretation. The California Attorney General's office has previously issued guidance suggesting that delays beyond 60 days warrant scrutiny. Donaghy Sales' 143-day timeline -- for a breach involving a single email account -- is difficult to reconcile with that guidance.

By contrast, the FTC's Health Breach Notification Rule requires notification within 60 days, and the NYDFS Cybersecurity Regulation requires covered entities to report cybersecurity events within 72 hours. While neither regulation directly governs a California food distributor, they represent the direction regulators are moving: shorter deadlines, measured in days rather than months.

What This Breach Tells Us About Email Security Gaps

BEC attacks succeed because email remains the least controlled data repository in most organizations. Companies invest in endpoint detection, network segmentation, and database encryption -- then leave years of sensitive attachments sitting in email accounts protected by a single password and, in many cases, no multi-factor authentication.

The Donaghy Sales incident involves a single corporate email account accessed for two days. The attack surface was narrow. But the potential data exposure was broad, because email accounts accumulate sensitive documents over time with no automated classification, retention enforcement, or access controls on individual messages and attachments.

For any organization -- financial institution or not -- this breach underscores three email security fundamentals that remain widely neglected:

  1. Enforce phishing-resistant MFA on all email accounts. FIDO2/WebAuthn security keys or passkeys eliminate the credential theft vector entirely. SMS and app-based one-time codes are better than nothing but remain vulnerable to adversary-in-the-middle attacks. CISA's guidance on phishing-resistant authentication provides implementation specifics.

  2. Implement email data loss prevention (DLP) policies. Automated scanning for SSNs, account numbers, and other sensitive data in email attachments -- combined with policies that block or encrypt outbound messages containing PII -- reduces the volume of sensitive data sitting in email accounts waiting to be stolen.

  3. Enforce email retention policies. If an email account does not need to retain messages and attachments older than 90 days, do not let it. Automated purging of aged email content limits the blast radius of any single account compromise. The two-day access window at Donaghy Sales would have been far less damaging if the account contained 90 days of email rather than potentially years of accumulated files.

Action Items for Affected Individuals

If you received a notification letter from Donaghy Sales LLC, take these steps immediately.

  1. Enroll in IDX identity protection before the March 12, 2026 deadline. The package includes credit monitoring, CyberScan dark web monitoring, a $1,000,000 insurance policy, and fully managed identity theft recovery services.

  2. Place a credit freeze with Equifax (1-800-685-1111), Experian (1-888-397-3742), and TransUnion (1-800-888-4213). A freeze prevents new accounts from being opened in your name and is free to place and lift.

  3. Request an IRS Identity Protection PIN at irs.gov/ippin. The July 2025 breach date means your SSN could have been used in fraudulent 2025 tax filings. An IP PIN blocks unauthorized returns.

  4. Review your bank and financial accounts for unfamiliar transactions. If the compromised email contained direct deposit forms or ACH details, monitor your bank accounts closely for unauthorized debits or changes.

  5. Watch for targeted phishing attempts. An attacker who read the contents of a corporate email account may use details from those messages -- project names, colleague names, vendor relationships -- to craft convincing phishing emails. Treat unsolicited messages referencing Donaghy Sales or its business partners with heightened skepticism.

  6. Check your credit reports at annualcreditreport.com. You are entitled to free weekly reports from all three bureaus. Look for accounts, inquiries, or addresses you do not recognize.

Tags:breachvendoremail-compromisecaliforniabec

Related Analysis

Conifer Value-Based Care Breach: Phishing Exposes Patient Data
13 min read
Main Electric Supply Breach Exposes SSNs and Credit Card Data
11 min read
GMS Breach Exposes Credit Cards, SSNs, and Financial Records
11 min read
Garson Brothers Breach: Wire Fraud Attack Exposes SSNs at NY Asset Manager
6 min read