Passco Companies, LLC Data Breach Analysis

Passco Companies Breach Exposes 806 SSNs After Eight-Month Notification Delay

A data breach at Passco Companies, LLC exposed names and Social Security numbers for 806 individuals following unauthorized network access in August 2025. The California-based real estate investment firm disclosed the incident on April 17, 2026—more than eight months after attackers exfiltrated data from its systems, raising questions about notification timeline compliance under state breach laws.

The incident highlights ongoing third-party risk concerns in financial services, where investment firms, property managers, and adjacent service providers maintain sensitive personal data but may not operate under the same regulatory scrutiny as banks and credit unions.

Timeline of Events

The breach timeline reveals a protracted investigation and notification process:

Date	Event
August 7, 2025	Unauthorized access occurs; data exfiltrated
Late 2025 (unspecified)	Passco detects "suspicious activity" and initiates investigation
December 16, 2025	Third-party review identifies affected individuals
April 17, 2026	Written notifications sent to affected individuals

The four-month gap between completing the data review in December 2025 and issuing notifications in April 2026 warrants scrutiny. Passco attributed this delay to "additional work to review and verify the affected information as well as locate address information." While address verification is a legitimate step, most state breach notification statutes set explicit deadlines that do not pause indefinitely for administrative convenience.

Maine's breach notification law, under which this disclosure was filed, requires notification "as expediently as possible and without unreasonable delay." California, where Passco is headquartered, mandates notification in "the most expedient time possible and without unreasonable delay." Neither statute defines a hard deadline, but four months of post-review verification strains the definition of expedient disclosure.

Data Exposure and Risk Profile

The exposed data elements—names and Social Security numbers—represent a high-risk combination for identity theft. Unlike email addresses or phone numbers, SSNs cannot be changed and serve as persistent identifiers across financial systems.

For the 806 affected individuals, risks include:

Synthetic identity fraud: Criminals combine stolen SSNs with fabricated personal details to create new credit profiles. The Federal Reserve estimates synthetic identity fraud costs U.S. lenders $6 billion annually.

Tax refund fraud: SSNs enable filing fraudulent tax returns before legitimate filers submit their own, diverting refunds to attacker-controlled accounts.

New account fraud: Opening credit cards, loans, or utility accounts using stolen SSN/name combinations remains the most common form of identity theft.

Employment fraud: SSNs can be used to pass background checks for unauthorized employment, potentially creating tax complications for victims.

Passco is offering 12 months of Experian IdentityWorks credit monitoring with a July 31, 2026 enrollment deadline. While standard practice, this timeline creates urgency—affected individuals have roughly three months to enroll before losing access to complimentary protection.

Attack Vector Remains Undisclosed

The notification letter provides minimal technical detail about how attackers gained access. Passco states only that it "learned of suspicious activity on certain systems in its environment" and that "limited information was taken" during "the period of unauthorized access on August 7, 2025."

The singular date reference suggests either a smash-and-grab exfiltration or that forensic investigators could only confirm a single day of confirmed malicious activity. The notification does not indicate whether the intrusion involved ransomware, business email compromise, vulnerability exploitation, or insider access.

This opacity is unfortunately common in breach disclosures. Similar patterns appeared in the Batchelder Bros. Insurance breach, where network intrusion details remained vague despite SSN exposure. Financial services firms often cite ongoing investigations or law enforcement involvement to justify limited technical disclosure, but this leaves peer institutions unable to assess whether similar attack vectors threaten their own environments.

Regulatory Considerations

GLBA Safeguards Rule Applicability

Passco Companies operates as a real estate investment and property management firm. Whether the company qualifies as a "financial institution" under the Gramm-Leach-Bliley Act depends on its specific business activities. The GLBA's definition extends beyond banks to include entities "significantly engaged" in financial activities, potentially capturing real estate settlement services, mortgage servicing, or investment advisory functions.

If GLBA applies, Passco would be subject to the updated Safeguards Rule (16 CFR Part 314), which requires:

• Designation of a qualified individual to oversee information security
• Written risk assessments and security programs
• Access controls, encryption, and multi-factor authentication
• Continuous monitoring and penetration testing
• Incident response planning

The FTC enforces GLBA compliance for non-bank financial institutions. Recent enforcement actions have targeted companies with inadequate access controls and delayed breach notifications.

State Notification Requirements

Beyond Maine, Passco likely faces notification obligations across multiple jurisdictions depending on victim residency:

California (Passco's home state): Requires notification "in the most expedient time possible" with no hard deadline, but the Attorney General has taken enforcement action against delays exceeding 90 days.

New York: If any affected individuals reside in New York, the state's data breach notification law requires notification "in the most expedient time possible" and reporting to the Attorney General, Department of State, and Division of State Police if more than 500 residents are affected.

Massachusetts: Requires notification within a "reasonable period of time" and mandates specific letter content including the right to place security freezes.

SEC Disclosure Considerations

For publicly traded companies, SEC cybersecurity disclosure rules (effective December 2023) require material incident disclosure within four business days. Private companies like Passco face no SEC reporting obligation, but the incident illustrates how mid-market firms often operate with less regulatory oversight than their publicly traded counterparts.

Financial Sector Breach Trends

This incident fits an emerging pattern of breaches at financial services firms outside traditional banking. Investment managers, insurance agencies, wealth advisors, and financial technology providers collectively maintain vast repositories of sensitive data but operate under varying regulatory frameworks.

Recent FinSecLedger coverage has documented similar incidents:

• Ashton Thomas Private Wealth exposed 1,644 client records via email compromise
• Advantage Gold suffered a breach affecting precious metals investors
• AOS MoneyBlock exposed SSNs, passports, and financial data

The common thread: entities holding financial data but potentially lacking the security infrastructure of regulated depository institutions. Banks undergo regular FFIEC examinations and must comply with interagency cybersecurity guidance. Investment firms registered with the SEC face examinations by the Office of Compliance Inspections and Examinations. But firms operating in adjacent spaces—property management, real estate investment, financial software—may fall through regulatory gaps.

FS-ISAC has repeatedly warned that threat actors increasingly target the extended financial services supply chain, recognizing that smaller firms often hold valuable data with fewer defensive resources.

Operational Security Lessons

The Passco breach, while affecting a relatively small population of 806 individuals, illustrates systemic issues worth examining:

Detection latency: The notification does not specify how long attackers maintained access before detection. Organizations should implement user and entity behavior analytics (UEBA) capable of identifying anomalous data access patterns in near-real-time.

Data minimization gaps: Why did Passco maintain SSNs for 806 individuals in accessible systems? Financial services firms should regularly audit what sensitive data they retain and whether business needs justify continued storage.

Third-party review bottlenecks: The four-month gap between completing forensic review and issuing notifications suggests either insufficient staffing for victim identification or inadequate data mapping that made locating affected individuals unnecessarily complex. Pre-incident data inventories accelerate post-breach response.

Notification template readiness: The standardized notification letter suggests Passco engaged breach response counsel, but organizations can reduce time-to-notification by maintaining pre-approved templates and vendor relationships with notification fulfillment providers.

Action Items for Peer Institutions

Financial services firms—particularly those operating outside traditional banking regulatory frameworks—should evaluate their own posture against lessons from this incident:

1. Audit SSN retention practices: Review all systems, databases, and file shares containing Social Security numbers. Implement data minimization policies that purge SSNs when no longer required for legitimate business purposes. Where retention is necessary, ensure encryption at rest and in transit.

2. Map notification obligations before incidents occur: Maintain a current matrix of breach notification requirements across all states where customers or employees reside. Pre-identify legal counsel, notification vendors, and credit monitoring providers to compress response timelines.

3. Implement detection controls for data exfiltration: Deploy data loss prevention (DLP) tools and network detection capabilities that alert on unusual outbound data transfers. The NIST Cybersecurity Framework's Detect function emphasizes continuous monitoring of network traffic and user behavior.

4. Conduct tabletop exercises with realistic timelines: Test incident response plans against notification deadlines. If your organization cannot complete forensic review, victim identification, and notification drafting within 45-60 days, identify bottlenecks and allocate additional resources.

5. Verify cyber insurance coverage and notification cost estimates: Breach notification for 806 individuals costs approximately $150-200 per victim when including forensics, legal, notification fulfillment, and credit monitoring. Ensure coverage limits and retentions align with realistic incident costs.

Looking Ahead

Passco has indicated it is "implementing additional safeguards and training to its employees," though specifics remain undisclosed. Affected individuals should enroll in the offered credit monitoring before the July 31, 2026 deadline and consider placing security freezes at all three credit bureaus as a longer-term protective measure.

For the broader financial services sector, this incident reinforces that regulatory frameworks designed for banks do not automatically extend to adjacent firms handling equally sensitive data. Until consistent baseline requirements apply across the financial services supply chain, breaches at investment firms, property managers, and fintech providers will continue to expose consumer data with inconsistent oversight and variable response quality.