Caldwell Sutter Capital Inc., a California-based investment management firm, has disclosed a data breach that exposed sensitive personal information belonging to hundreds of individuals. According to regulatory filings, the incident was linked to a cybersecurity event involving the company’s third-party service provider, FoxTrot LLC.
The breach affected 663 individuals across the United States and involved the exposure of highly sensitive information, including Social Security numbers and financial account data. Caldwell Sutter Capital reported the incident to state regulators in Maine, Massachusetts, and Vermont and began notifying affected individuals on May 29, 2026.
Because the compromised information includes Social Security numbers and financial account details, affected individuals may face an increased risk of identity theft, financial fraud, and other forms of misuse of their personal information.
What Happened?
According to notices filed with state attorneys general, an unauthorized third party gained access to systems maintained by FoxTrot LLC on April 22, 2026. FoxTrot provides software solutions that support Caldwell Sutter Capital’s back-office operations and business functions.
FoxTrot notified Caldwell Sutter Capital about the security incident on April 29, 2026. Following the notification, Caldwell Sutter Capital worked with the vendor to investigate the scope of the incident, determine what information may have been affected, and ensure that containment and remediation measures were implemented.
The company stated that the investigation remains ongoing.
Third-party vendor breaches have become increasingly common across the financial services industry. Organizations often rely on external providers for technology and operational support, which can create additional cybersecurity risks when vendors maintain access to sensitive customer information.
What Information Was Exposed?
The investigation determined that the following types of personal information were exposed:
- Full names
- Social Security numbers
- Financial account numbers
- Financial account codes
The exposure of Social Security numbers presents a particularly significant risk because this information can be used to commit identity theft, open fraudulent accounts, apply for loans, or conduct other unauthorized financial activities.
When combined with financial account information, cybercriminals may have sufficient data to target victims through sophisticated fraud schemes or account takeover attempts.
How Many People Were Affected?
Caldwell Sutter Capital reported that the breach affected 663 individuals throughout the United States.
While the number of affected individuals is smaller than some recent large-scale breaches, the sensitivity of the compromised information makes the incident particularly concerning.
Caldwell Sutter Capital’s Response
Following notification from FoxTrot LLC, Caldwell Sutter Capital initiated an investigation into the incident and coordinated with its vendor to understand the nature and scope of the breach.
The company is offering affected individuals 12 months of complimentary credit monitoring and identity protection services through Experian IdentityWorks.
The protection package includes:
- Credit monitoring across all three major credit bureaus
- Dark web surveillance
- Identity restoration assistance
- Up to $1 million in identity theft insurance
Affected individuals must enroll in the service using the activation code provided in their notification letter. Enrollment is available through September 30, 2026.
The company has also established dedicated support channels to answer questions from affected individuals.
What Should Affected Individuals Do?
Anyone who received a notification letter from Caldwell Sutter Capital should consider taking the following steps to protect themselves:
Monitor Credit Reports
Review credit reports regularly for unauthorized accounts, inquiries, or suspicious activity.
Review Financial Accounts
Carefully monitor bank accounts, investment accounts, and credit card statements for unusual transactions.
Consider a Fraud Alert
A fraud alert can make it more difficult for criminals to open new accounts using stolen personal information.
Consider a Credit Freeze
A credit freeze restricts access to a consumer’s credit report and can help prevent identity thieves from opening new accounts.
Watch for Phishing Attempts
Cybercriminals often use stolen information to create convincing emails, text messages, and phone calls designed to collect additional information.
Why Social Security Number Breaches Are Serious
Social Security numbers are among the most valuable forms of personal information sought by cybercriminals. Unlike passwords, Social Security numbers generally cannot be changed after exposure.
Criminals may use stolen Social Security numbers to:
- Open fraudulent credit accounts
- File false tax returns
- Apply for loans
- Commit employment fraud
- Access government benefits
Because the information can remain useful for years, affected individuals may need to remain vigilant long after the breach occurs.
Can Affected Individuals Take Legal Action?
Companies that collect and store sensitive personal information have a responsibility to implement reasonable safeguards designed to protect that information from unauthorized access.
When a data breach exposes highly sensitive information such as Social Security numbers and financial account details, affected individuals may experience financial losses, spend time resolving identity theft issues, or face an increased risk of future fraud.
As investigations continue, affected individuals may explore their legal options and monitor developments regarding potential class action litigation related to the incident.
Find a Data Breach Lawyer
