As explained in this Alert, the Fifth Circuit Court of Appeals in an abrupt volte-face has reinstated the nationwide injunction against enforcement of the Corporate Transparency Act’s Beneficial Ownership Information reporting requirements. While this constitutes a temporary reprieve from the CTA's reporting obligations, the constitutionality of the CTA continues to be unsettled.
In the meantime, I have noted that the CTA creates a rich, centralized target for criminals and foreign governments. See Is The FinCEN Laying The Foundation For The G.O.A.T. Data Breach? The reality of this threat was recently brought home in a letter from Aditi Hardikar
Assistant Secretary for Management at the U.S. Department of Treasury to the U.S. Senate Committee on Banking, Housing
and Urban Affairs. The letter discloses what the Department characterizes as a "major cybersecurity incident":
On December 8, 2024, Treasury was notified by a third-party software service provider, BeyondTrust,
that a threat actor had gained access to a key used by the vendor to secure a cloud-based service used
to remotely provide technical support for Treasury Departmental Offices (DO) end users. With access
to the stolen key, the threat actor was able override the service’s security, remotely access certain
Treasury DO user workstations, and access certain unclassified documents maintained by those users.
According to the letter, the incident has been attributed to a "China state-sponsored Advanced Persistent Threat (APT) actor".
If the CTA is upheld, the Department of Treasury will be housing for the first time the personal information of the beneficial owners of tens of millions of businesses. Does anyone doubt that this will be an inviting target for hackers and that attacks on the security of that central depository are inevitable?