What Happened in the Mercadien Data Breach?
Mercadien PC Certified Public Accountants, a financial services and accounting firm, has confirmed a data breach that exposed sensitive personal information belonging to hundreds of thousands of clients. According to regulatory filings, unauthorized access to the firm’s network occurred on or about Nov. 7, 2025. This means someone outside the organization gained access to systems holding client records without permission.
The Mercadien data breach involved unauthorized access to a range of personal and financial data stored within the firm’s systems. Because Mercadien provides accounting and financial services, its systems likely contained detailed financial records for many clients. As a result, the exposure carries significant risk for the people whose information was stored there.
After discovering the intrusion, Mercadien launched an investigation to determine the scope of the incident. The firm then filed breach notifications with multiple state attorneys general, including those in Maine, Massachusetts, New Hampshire, South Carolina, Texas, and Indiana. In addition, Mercadien posted a public notice on its website and began mailing letters to affected individuals starting in early January 2026.
Who was affected?
The Mercadien data breach affected clients and individuals associated with the accounting firm across the country. Filings show that 402,741 people were impacted nationwide, including 1,376 residents of South Carolina and 1,323 residents of Texas. Because Mercadien serves clients throughout multiple states, the breach has a broad geographic reach.
Individuals affected likely include current and former clients whose financial and tax records were stored by the firm. However, the exact breakdown between clients, employees, or other associated individuals hasn’t been publicly disclosed. Given that accounting firms often handle sensitive family financial data, it’s possible that dependents or minors linked to client accounts were also included in the exposure.
What Information Was Potentially Exposed?
The data compromised in this breach spans a wide range of sensitive categories. Because Mercadien handles tax preparation and financial services, the exposed information is especially sensitive and could be misused in several ways.
- Full names
- Home addresses
- Dates of birth
- Driver’s license or government ID numbers
- Social Security numbers
- Financial account information
- Usernames and passwords
- IRS PIN numbers
- Payment card information
This combination of data creates serious risk for identity theft. For example, a criminal with a Social Security number, date of birth, and address could open new credit accounts, apply for loans, or file fraudulent tax returns in a victim’s name. Because IRS PIN numbers were also exposed, affected individuals may face an elevated risk of tax-related fraud specifically.
In addition, exposed usernames and passwords could allow attackers to access other online accounts if victims reused login credentials elsewhere. Payment card information exposure raises the risk of unauthorized charges. As a result, affected individuals should treat this breach as a serious threat to both their financial and personal security.
What is the company doing?
After discovering the breach, Mercadien took steps to investigate the incident and secure its systems. The firm then notified regulators in several states, as required by law, and posted a notice describing the breach on its website. This transparency allows affected individuals to understand what happened and take protective action.
In response to the breach, Mercadien began mailing notification letters to impacted individuals in early January 2026. The firm also set up a dedicated call center to answer questions from affected clients. This support line is available Monday through Friday from 9 a.m. to 9 p.m. ET at 855-403-1825, giving individuals a direct way to ask questions about their exposure.
What Should Affected Individuals Do?
Monitor Financial Accounts and Credit Reports
Affected individuals should closely monitor their bank accounts, credit card statements, and credit reports for unfamiliar activity. Because financial account information was exposed, fraudulent charges or new account openings are a real possibility. Checking statements regularly can help catch fraud early.
In addition, individuals can request free credit reports from the three major credit bureaus to review for suspicious accounts. Doing this periodically over the coming months is wise, since stolen data can be used well after a breach occurs. If anything looks unfamiliar, reporting it immediately can limit the damage.
Consider a Fraud Alert or Credit Freeze
Because Social Security numbers and financial account details were exposed, placing a fraud alert or credit freeze is strongly recommended. A fraud alert requires lenders to verify your identity before opening new credit in your name. A credit freeze goes further by blocking most access to your credit file entirely.
To place either protection, individuals can contact Equifax, Experian, or TransUnion directly. Setting up a freeze is free and can be lifted temporarily whenever you need to apply for new credit. Given the sensitivity of the data involved here, this step offers strong protection against identity thieves.
Protect Against Tax Fraud
Since IRS PIN numbers were included in the exposed data, affected individuals face a heightened risk of tax-related identity theft. This means someone could attempt to file a fraudulent tax return using a victim’s information to claim a refund. Filing your taxes early each year can help reduce this risk.
Furthermore, individuals should watch for unexpected IRS notices, such as letters about tax returns they didn’t file. If this happens, contacting the IRS Identity Protection Specialized Unit promptly is important. Requesting a new IRS PIN may also be worth discussing with a tax professional.
Stay Alert for Phishing Attempts
Following any data breach, scammers often use stolen information to craft convincing phishing emails or phone calls. Affected individuals should be cautious of unsolicited messages claiming to be from Mercadien, a bank, or a government agency. Legitimate organizations rarely ask for sensitive details over email or phone.
Instead of clicking links in suspicious messages, individuals should verify requests by contacting the organization directly through official channels. Because names, addresses, and dates of birth were exposed, scammers may use this information to appear more credible. Staying skeptical of unexpected requests for personal information is one of the best defenses.
Consult a Data Breach Attorney
Given the scale and sensitivity of this breach, some affected individuals may want to explore their legal options. Consulting a data breach attorney for a free case evaluation can help clarify whether you qualify for compensation. Many attorneys handle these cases without upfront fees.
Additionally, an attorney can help you understand deadlines that may apply to filing a claim. Because laws vary by state, professional guidance can ensure you don’t miss an opportunity to seek compensation for damages related to this breach.
More Information
Official Notice from Mercadien
Official Data Breach Notification Letter (PDF)
Official Data Breach Notification Letter (PDF)
Official Data Breach Notification Letter (PDF)
Official State Attorney General Notification
Official Notice from Mercadien
