FinSecLedger
Breach Analysis8 min read

RKA Consulting Group Breach Exposed SSNs -- Notifications Took 292 Days

Analysis of the RKA Consulting Group data breach exposing names, dates of birth, and Social Security numbers after a January 2025 hack. Notifications arrived in October.

By FinSecLedger

Engineering Firm RKA Consulting Group Hacked in January 2025 -- SSN Notifications Didn't Arrive Until October

RKA Consulting Group, an engineering consulting firm, disclosed a data breach to the California Attorney General after a January 8, 2025 network intrusion exposed names, dates of birth, and Social Security numbers. The company detected the suspicious activity the same day it occurred, confirmed unauthorized access by February 25, 2025, and then spent seven months reviewing the compromised files before mailing notification letters on October 27, 2025 -- 292 days after the incident.

That 292-day gap makes this one of the longer notification timelines we have tracked. California's breach notification statute requires disclosure "in the most expedient time possible and without unreasonable delay." Whether a 292-day window qualifies as unreasonable is a question the California AG's office will have to assess, but the timeline is difficult to justify when the data at risk includes Social Security numbers.

What Happened at RKA Consulting Group

On or around January 8, 2025, RKA Consulting detected suspicious activity on its systems. The company disconnected the affected systems and brought in independent forensic investigators. By February 25, 2025 -- roughly seven weeks later -- the forensic work confirmed that an unauthorized individual had gained access to RKA Consulting's network for a "limited period of time" and may have accessed a limited number of files.

The notification letter does not specify how the attacker gained entry. It describes the incident only as unauthorized access, with no mention of phishing, credential compromise, vulnerability exploitation, or ransomware. The phrase "limited period of time" suggests the intrusion was either quickly contained or the attacker moved fast. Either way, the forensic team had answers within 48 days.

What followed was a file-by-file review to determine whose personal information was in the compromised files. That review took from late February to September 23, 2025 -- seven months of document analysis. This extended review period is the primary driver behind the 292-day notification delay.

What Data Was Exposed

The compromised files contained three categories of personal information:

  • Full names
  • Dates of birth
  • Social Security numbers

This is a high-risk combination. SSN plus date of birth is enough for an attacker to open new credit accounts, file fraudulent tax returns, or commit synthetic identity fraud. Unlike a stolen credit card number, which can be reissued, a compromised SSN creates a permanent exposure. The affected individuals will need to monitor their credit indefinitely -- not just during the 12-month window that RKA Consulting's complimentary monitoring covers.

RKA Consulting stated that the information was collected from individuals who "worked with RKA Consulting on an engineering project." That phrasing suggests the exposed population includes subcontractors, joint venture partners, or employees of client organizations -- not the general public. Engineering projects often require background checks, insurance verification, and payroll coordination, all of which generate SSN collection.

How the Attack Happened

The notification letter provides minimal technical detail. RKA Consulting characterizes the incident as unauthorized network access but does not identify the attack vector, name a threat actor, or reference a specific vulnerability. The company states it "immediately disconnected these systems" upon detecting suspicious activity -- a response that suggests the intrusion triggered some form of automated alert or monitoring.

Post-incident, RKA Consulting changed passwords and "implemented additional restrictions on accessing the network." These remediation steps point toward credential compromise as a likely vector. Password resets and access restrictions are standard responses when an attacker authenticates with stolen or weak credentials, rather than exploiting a software vulnerability.

The Corban OneSource breach from September 2025 followed a similar pattern -- a single-day unauthorized network access at a professional services vendor that exposed SSNs, with a months-long file review before notifications went out. Both incidents illustrate how even brief intrusions at service providers can trigger extended response timelines when the breached organization must determine which client records were in the compromised files.

Who Is Affected

RKA Consulting's notification was filed with the California Attorney General, which means at least some affected individuals are California residents. The total number of affected individuals was not disclosed in the California filing.

The affected population appears limited to people who provided personal information in connection with engineering projects. This likely includes project employees, subcontractors, consultants, and possibly client personnel who submitted identification documents for project-related purposes. Engineering firms routinely collect SSNs for certified payroll, prevailing wage compliance, and subcontractor verification -- requirements driven by public works contracting and insurance documentation.

The 292-Day Notification Delay

The timeline breaks down as follows:

  • January 8, 2025: Suspicious activity detected, systems disconnected
  • February 25, 2025: Investigation confirms unauthorized file access
  • September 23, 2025: File review completed, affected individuals identified
  • October 27, 2025: Notification letters mailed

California Civil Code Section 1798.82 requires notification "in the most expedient time possible and without unreasonable delay." The statute permits a reasonable delay for law enforcement purposes, but there is no blanket exemption for lengthy document review.

The seven-month file review (February to September) is the bottleneck. RKA Consulting may have faced a genuinely complex review -- engineering project files can span thousands of documents across multiple projects, and SSNs may appear in embedded forms, scanned PDFs, or legacy spreadsheets rather than structured databases. But regulators and courts have increasingly pushed back on extended review periods as breach volumes rise.

For comparison, the Ameriprise Financial Services breach involved a more complex data set (SSNs, account numbers, financial records, medical information across 598 individuals) but managed to complete its review and notification process within a tighter timeframe. Extended review periods are becoming harder to defend, particularly when the compromised data includes SSNs.

Regulatory Implications

As an engineering consulting firm, RKA Consulting is not subject to financial services regulators like the NYDFS Cybersecurity Regulation or the GLBA Safeguards Rule. But the breach has downstream implications for financial institutions and regulated entities.

If RKA Consulting performs work for banks, credit unions, or government-sponsored infrastructure projects -- common for engineering firms -- then those institutions may need to assess whether the breach triggers their own vendor incident notification obligations. Under the OCC's enforceable guidelines and FFIEC guidance, regulated financial institutions must evaluate third-party service provider breaches that could affect customer information.

The California AG's enforcement posture on notification timing has tightened in recent years. The office has historically focused on companies that took more than 60 days to notify after completing their investigation, and the 34-day gap between RKA Consulting's file review completion (September 23) and mailing date (October 27) falls within that window. The longer question is whether the seven-month review period itself constitutes unreasonable delay.

Vendor Risk and Third-Party Exposure

RKA Consulting's breach fits a pattern tracked in FinSecLedger's breach database: professional services vendors that collect sensitive personal information as a byproduct of their client work, rather than as a core business function. These firms often lack the security investment of financial institutions or healthcare organizations, but hold equally sensitive data.

The 700Credit breach exposed SSNs collected through auto dealership credit applications. The Marquis Software Solutions breach compromised data from 80+ banks and credit unions through a marketing vendor. The common thread is that service providers outside the financial regulatory perimeter hold financial-sector-grade personal information with general-enterprise-grade security controls.

According to the FBI's IC3 2024 Internet Crime Report, business email compromise and unauthorized network access remain the top vectors for data theft at professional services firms. The Verizon 2024 Data Breach Investigations Report found that credential-based attacks accounted for the majority of initial access at small and mid-sized professional services organizations -- consistent with RKA Consulting's post-incident remediation focus on password changes and access restrictions.

What Affected Individuals Should Do

RKA Consulting is offering 12 months of credit monitoring through Cyberscout, a TransUnion subsidiary. Enrollment requires activation within 90 days of the notification letter date. Given that letters were mailed October 27, 2025, the enrollment window may have already expired or is closing soon for early recipients.

Affected individuals should:

  1. Freeze credit files at all three bureaus (Equifax, Experian, TransUnion) -- this is free and more effective than monitoring, which only alerts after fraudulent accounts are opened
  2. File an IRS Identity Protection PIN request at irs.gov/ippin to prevent fraudulent tax returns using the exposed SSN
  3. Monitor financial accounts for unauthorized transactions, particularly new account openings
  4. Request a free credit report at annualcreditreport.com and review for unfamiliar accounts or inquiries
  5. Consider an extended fraud alert (seven years) if any suspicious activity is detected -- this requires filing an FTC identity theft report at identitytheft.gov

Lessons for Organizations

Engineering firms and professional services vendors that collect SSNs for project compliance should treat that data with the same rigor as financial institutions. Certified payroll records, insurance certificates, and subcontractor verification files all contain identity-theft-grade information that persists on file servers long after the project closes.

The 292-day notification timeline also underscores the need for structured data inventories. Organizations that can quickly identify which files contain PII -- and whose PII is in them -- can compress the review phase from months to weeks. Data loss prevention tools, structured storage policies, and automated PII scanning are no longer optional for any firm handling SSNs at scale.

Tags:breachvendorhackingssncaliforniaengineeringthird-party-risk

Related Analysis

Main Electric Supply Breach Exposes SSNs and Credit Card Data
11 min read
GMS Breach Exposes Credit Cards, SSNs, and Financial Records
11 min read
SSA Holdings Breach: Hackers Copied Files Containing Financial and Medical Data
7 min read
Cerenade Breach: Legal Tech Platform Hack Exposes SSNs and Passports
9 min read