aPRIL 5, 2024

To all my past and current clients:

Dear Sir / Madame, 

We are writing to inform you of a recent security incident at Iris Bikel, Attorney at Law. This notification is sent pursuant to the New York State Information and Security Breach and Notification Act (General Business Law Section 899-aa or State Technology Law Section 208).

Here is a detailed account of the incident and the steps we have taken:

03/26/2024: At approximately 7:00 pm EST, while attempting to receive a shared document via Dropbox from a client, we encountered an issue. Upon investigation, we discovered that the email address associated with our company's Dropbox account had been changed without authorization.

03/27/2024: We engaged our IT department to address the issue. We also engaged Dropbox support who informed us they would investigate the issue further. We copied all the data from the account to secure it. We were unable to change the email address on the account, change the password, or delete the files permanently, or the account without access to the compromised email address and/or the changed password.

03/28/2024: Despite our internal efforts, including a password reset and attempts to regain access to the account, we observed further unauthorized changes to the account. We engaged a third-party Managed IT Service Provider to assist with resolving the compromise. They reviewed the issue and attempted to regain access to the account, but were unsuccessful due to the changed email address and lack of access to the password. We re-engaged with Dropbox support, but they initially provided no assistance in stopping the unauthorized access to the files and folders.

03/29/2024: Efforts to engage Dropbox support continued, but they were unable to provide proof of whether any data had been viewed, transferred, or downloaded. We also attempted to close the account, but Dropbox was unwilling to do so without further investigation. During further discovery, we identified two files with names matching the compromised email address. Upon investigation, it was determined that these files contained links to a fake Dropbox site, indicating a phishing attempt. We attempted to delete these files, change the email address, and delete the account, but credentials were required for these actions. We upgraded the Dropbox plan on the compromised account to gain access to phone support. With the assistance of our Managed Service Provider, we were able to transfer all data to a new business account to secure it, circumventing the Dropbox security measures and removing the compromised account's access to the data.

04/01/2024: Efforts to engage Dropbox support continued, but they were unable to provide proof of whether any data had been viewed, transferred, or downloaded. We also continued to attempt to close the account, but Dropbox was unwilling to do so without further investigation.

04/03/2024: We continued to engage with Dropbox to report the situation and request an audit of the compromised account.

04/04/2024: Dropbox responded, indicating that the account was suspended. We provided the necessary information to regain access to the account but were informed that access could not be 

granted. We continued to work with Dropbox to close the account and requested an access audit.

As of 04/05/2024, the compromised account remains suspended, and all data has been secured. We are still awaiting confirmation from Dropbox regarding the extent of the breach and any potential data exposure.

To protect yourself from the possibility of identity theft, we recommend that you immediately place a fraud alert on your credit files. A fraud alert conveys a special message to anyone requesting your credit report that you suspect you were a victim of fraud. When you or someone else attempts to open a credit account in your name, the lender should take measures to verify that you have authorized the request. A fraud alert should not stop you from using your existing credit cards or other accounts, but it may slow down your ability to get new credit. An initial fraud alert is valid for ninety (90) days. To place a fraud alert on your credit reports, contact one of the three major credit reporting agencies at the appropriate number listed below or via their website. One agency will notify the other two on your behalf. You will then receive letters from the agencies with instructions on how to obtain a free copy of your credit report from each.

• Equifax (888)766-0008 or www.fraudalert.equifax.com

• Experian (888) 397-3742 or www.experian.com

• TransUnion (800) 680-7289 or www.transunion.com

New York residents can also consider placing a Security Freeze on their credit reports. A Security Freeze prevents most potential creditors from viewing your credit reports and therefore, further restricts the opening of unauthorized accounts. For more information on placing a security freeze on your credit reports, please go to the New York Department of State Division of Consumer Protection website at https://dos.nysits.acsitefactory.com/consumer-protection.

When you receive a credit report from each agency, review the reports carefully. Look for accounts you did not open, inquiries from creditors that you did not initiate, and confirm that your personal information, such as home address and Social Security number, is accurate. If you see anything you do not understand or recognize, call the credit reporting agency at the telephone number on the report. You should also call your local police department and file a report of identity theft. Get and keep a copy of the police report because you may need to give copies to creditors to clear up your records or to access transaction records.

Even if you do not find signs of fraud on your credit reports, we recommend that you remain vigilant in reviewing your credit reports from the three major credit reporting agencies. You may obtain a free copy of your credit report once every 12 months by visiting www.annualcreditreport.com,

calling toll-free 877-322-8228 or by completing an Annual Credit Request Form at:

www.ftc.gov/bcp/menus/consumer/credit/rights.shtm and mailing to:

Annual Credit Report Request Service, P.O. Box 1025281 Atlanta, GA 30348-5283

For more information on identity theft, you can visit the following websites: New York Department of State Division of Consumer Protection: www.dos.ny.gov/consumer-protection NYS Attorney General at: www.ag.ny.gov Federal Trade Commission at: www.ftc.gov/bcp/edu/microsites/idtheft/

If there is anything Iris Bikel, http://irisbikelattorney.com, can do to further assist you, please call Iris Bikel at 646.969.6989.

Please note: This letter is from a breaching entity to notify New York residents of a security breach incident is for informational purposes only and should not be construed as legal advice and/or as policy of the State of New York. It is recommended that you speak with a privacy professional and/or an attorney for further advice.

Sincerely,

Iris Bikel, Esq.