First Atlantic Capital Breach Exposes 1,582 After Network Intrusion

New York Investment Firm Discloses Breach Four Months After Network Intrusion

First Atlantic Capital, Ltd., a New York-based investment firm located on the Upper East Side, disclosed a data breach on January 30, 2026, affecting 1,582 individuals. The breach stems from a network intrusion that occurred on September 18, 2025, and was not formally identified as a reportable incident until December 31, 2025 -- a 104-day gap between the initial disruption and breach confirmation.

While smaller in scale than recent mega-breaches at financial institutions, the incident raises questions about detection and response capabilities at mid-market investment firms, a segment of the financial sector that often lacks the security resources of larger broker-dealers and asset managers.

What Happened at First Atlantic Capital

On September 18, 2025, First Atlantic Capital experienced what the company described as "a disruption in our computer network." The firm took immediate steps to secure its network and retained independent cybersecurity experts to investigate.

The investigation determined that files were accessed without authorization during the intrusion. First Atlantic then conducted a review of the affected files to identify which individuals' personal information was involved. That review concluded on or around December 31, 2025 -- more than three months after the initial intrusion.

The notification letter does not specify how attackers gained access. The Maine AG filing categorizes the incident as an "external system breach (hacking)," but no details about the attack vector, exploited vulnerability, or threat actor have been disclosed. This lack of technical detail is common in notifications from smaller financial firms, where public disclosure obligations are minimal beyond the notification letter itself.

What Data Was Compromised

The notification letter states that affected individuals' names were accessed "in combination with" additional personal information. The specific data elements are personalized per individual and redacted in the sample notification filed with Maine's AG office.

The remediation package -- single-bureau credit monitoring, credit score tracking, $1 million identity theft insurance, and proactive fraud assistance through Cyberscout (a TransUnion subsidiary) -- strongly suggests that SSNs or financial account numbers were among the compromised data elements. Credit monitoring services at this level are not typically offered when only names and contact information are involved.

First Atlantic stated it has "no evidence of any identity theft or fraud arising from the incident." That language is standard in breach notifications and reflects the state of knowledge at the time of filing rather than a definitive assessment of risk.

The 134-Day Notification Timeline

The timeline deserves scrutiny:

• September 18, 2025 -- Network disruption occurs; investigation begins
• December 31, 2025 -- Investigation concludes; breach confirmed as reportable (104 days)
• January 30, 2026 -- Consumer notification letters sent and Maine AG notified (30 more days)

Total elapsed time from intrusion to consumer notification: 134 days.

The 104-day investigation period is notable. For a firm with 1,582 affected individuals -- not hundreds of thousands -- the data review should have been manageable in a shorter timeframe. The delay may reflect the complexity of the forensic investigation, the involvement of outside counsel, or simply the pace at which a smaller firm without a dedicated incident response team moves through the process.

Maine law requires notification "as expediently as possible and without unreasonable delay." New York, where First Atlantic is headquartered, requires notification "in the most expedient time possible and without unreasonable delay." Whether 134 days meets that standard will depend on the specifics of the investigation, but the New York Attorney General's office has previously questioned delays of this duration.

Who Is First Atlantic Capital?

First Atlantic Capital operates from 30 East 72nd Street, Suite 11, in Manhattan's Upper East Side -- a residential-commercial area home to numerous boutique investment and wealth management firms. The firm's small footprint and the relatively modest number of affected individuals (1,582) suggest a private equity, venture capital, or family office operation rather than a large-scale asset manager.

Investment firms of this size typically hold sensitive data on investors, portfolio company executives, deal counterparties, and employees. The types of PII in their systems can include SSNs (for tax reporting), bank account numbers (for capital calls and distributions), and financial records related to investment positions.

The breach notification was filed across multiple states, including Kentucky, Maryland, Oregon, California, New York, Rhode Island, Iowa, and North Carolina, indicating that affected individuals are geographically dispersed -- consistent with an investor base rather than a locally concentrated customer population.

Regulatory and Legal Implications

As an investment firm, First Atlantic Capital likely falls under SEC oversight. The SEC's cybersecurity disclosure rules adopted in 2023 require registrants to disclose material cybersecurity incidents on Form 8-K within four business days of determining materiality. Whether a breach affecting 1,582 individuals at a private investment firm triggers 8-K disclosure depends on the firm's registration status and the materiality assessment.

Separately, Regulation S-P -- the SEC's privacy and safeguards rule -- was amended in 2024 to require covered institutions to notify affected individuals within 30 days of becoming aware of an incident involving their personal information. First Atlantic's 30-day window from breach confirmation (December 31) to notification (January 30) lands right at the edge of that requirement.

State attorneys general in the notified states may review the filing. Multi-state notifications for a firm of this size are unusual -- the geographic spread suggests the firm handles data for individuals across the country, which increases regulatory surface area.

The legal representation by Constangy, Brooks, Smith & Prophete -- a national labor and employment law firm with a data privacy practice -- suggests First Atlantic is treating this as a multi-jurisdictional compliance event, not a simple single-state notification.

What This Means for Mid-Market Investment Firms

Boutique investment firms, family offices, and small broker-dealers occupy a peculiar position in the financial sector's cybersecurity landscape. They hold the same types of sensitive data as their larger counterparts -- SSNs, tax IDs, bank account details, investment records -- but often operate with minimal IT staff and no dedicated security team.

The SEC's examination priorities have consistently highlighted cybersecurity at investment advisers as a focus area. Examiners evaluate whether firms have written information security policies, incident response plans, vendor management programs, and access controls proportionate to their risk profile.

This breach at First Atlantic joins a pattern tracked in FinSecLedger's breach database. Small and mid-market financial firms are increasingly targeted precisely because they hold high-value data with lower security maturity. The Edelman Financial Engines breach and the VF Wealth Management incident reflect the same dynamic -- wealth-adjacent firms with sensitive client data and limited security infrastructure.

Remediation and Affected Individual Protections

First Atlantic is offering affected individuals credit monitoring and fraud protection services through Cyberscout, a TransUnion company. The package includes:

• Single-bureau credit monitoring with alerts for changes to the credit file
• Single-bureau credit report and credit score access
• $1 million identity theft insurance
• Proactive fraud assistance

The enrollment deadline is 90 days from the date of the notification letter. Affected individuals can enroll at bfs.cyberscout.com/activate using the activation code provided in their individual notification letter.

Beyond the offered services, affected individuals should consider placing a security freeze with all three credit bureaus (Equifax, Experian, TransUnion) -- a free measure under federal law that provides stronger protection than credit monitoring alone. A freeze prevents new credit accounts from being opened in the individual's name without explicit authorization.

Action Items for Investment Firms and Advisers

1. Review your incident response plan. A 104-day gap between detecting a network disruption and confirming it as a reportable breach suggests the investigation process could be streamlined. Firms should have clear escalation criteria that trigger breach assessment procedures within days, not months.

2. Assess your Reg S-P compliance posture. The SEC's amended Regulation S-P now includes a 30-day notification requirement. Firms need documented procedures to move from breach confirmation to individual notification within that window. First Atlantic met it -- barely.

3. Inventory your sensitive data holdings. Small firms often lack a complete picture of where PII resides across file shares, email archives, CRM systems, and deal management platforms. You cannot protect or assess exposure of data you have not mapped.

4. Evaluate your cyber insurance coverage. The cost of forensic investigation, legal counsel, notification services, and credit monitoring for 1,582 individuals is manageable for a firm with cyber coverage -- and potentially devastating for one without it. Cyberscout's involvement suggests an insurance carrier is coordinating the response.

5. Prepare for SEC examination questions. Investment advisers should expect examiners to reference recent incidents at peer firms when evaluating their cybersecurity programs. Document your security controls, incident response exercises, and any improvements made in the past 12 months.