Editor’s Note: Following publication, MyComplianceOffice provided a statement dated April 9, 2026 indicating the incident involved unauthorized access to a legacy test or staging server. The company said the scope is limited to 12 customers, all of whom were notified, and that there is no evidence its production environment was impacted. This statement was not included in the original version of this article and has now been added for completeness.
A compliance technology vendor trusted with some of the most sensitive communications in financial services has allegedly been gutted. FulcrumSec, a threat actor with 13 claims dating back to October 2025, published what it claims is the complete dataset from a breach of MyComplianceOffice, a New York-based RegTech firm serving more than 1,500 financial services firms across 125 countries. The full release dropped March 31, three weeks after a preview post that the group says was MCO’s last chance to resolve the situation quietly.
MCO’s platform is used by regulated financial institutions to archive and monitor employee communications, including emails, Bloomberg and Reuters trader chats, Microsoft Teams messages, ICE Chat logs, Skype conversations, SMS messages, and Zoom and Teams meeting recordings. That is exactly what FulcrumSec claims to have walked out with.
What the Breach Allegedly Covers
The total exfiltrated dataset allegedly spans approximately 165 gigabytes across 2 AWS accounts. That includes 5.7 gigabytes of live MongoDB database dumps containing 85,131 communication records, 374,545 audit log entries, and 159 cleartext passwords. The communications archive allegedly contains emails, Bloomberg Instant Bloomberg chat logs, Reuters Eikon counterparty directories, ICE Chat archives, Teams and Zoom meeting recordings, 341 speaker-attributed meeting transcriptions, and 709 commodity trader SMS messages.
Client firms whose data allegedly appears in the archive include Gunvor Group, PetroChina USA, Hartree Partners, Totsa/TotalEnergies, NextEra Energy and its Florida Power and Light subsidiary, Motiva Enterprises, PBF Holdings, Boston Energy Marketing, and Mercuria Energy. These firms used MCO to store regulated communications. FulcrumSec claims those archives are now in its possession.
Beyond client communications, the group also claims to have obtained 93 source code builds of MCO’s Honcho compliance platform, a NextEra Energy-specific machine learning compliance model trained on 2 years of data, and what it describes as complete production credentials across MongoDB Atlas, MySQL, Kafka, Redis, and other infrastructure components. BreachNews is not publishing those credentials.
How They Got In and Stayed In
FulcrumSec claims the initial breach targeted MCO’s AWS environment, with a single ECS task role credential allegedly providing access to the entirety of the company’s production infrastructure with no network segmentation or IP whitelisting in place. The group says it maintained access across both intrusions without being detected or blocked.
Perhaps the most damaging technical finding, if accurate, is what FulcrumSec says it found in MCO’s production database: 159 out of 164 platform user accounts stored with plaintext passwords. MCO’s own website states that customer data is stored in a secure and encrypted environment, and the company holds SOC2 Type II and ISO 27001 certifications. Cleartext password storage in a production database would represent a direct contradiction of both.
The Negotiation That Went Nowhere
FulcrumSec says it notified MCO of the first breach and entered negotiations. The full release was framed explicitly as a consequence of those talks breaking down. The group published a preview on March 14 and gave MCO three weeks to respond. When MCO did not, FulcrumSec says it was left with no choice but to post the data in its entirety.
The group maintains a public website where it announced the release and says it will continue publishing new breaches on a weekly basis.
Company Response Points to Limited Scope
In a statement provided to BreachNews, MyComplianceOffice said it identified unauthorized access involving a legacy test or staging server and immediately took steps to contain the incident and launch an investigation with external forensic and incident response experts.
The company said the incident is limited to 12 customers, all of whom have been notified directly. According to MCO, the data involved appears to be older information, and there is no evidence that its production environment was impacted.
MCO also acknowledged the existence of external claims regarding the breach and said it is assessing that information as part of its ongoing investigation.
Public Statement Still Pending
MyComplianceOffice has not issued a public statement on the incident at time of publication. The company provided a direct statement to BreachNews but has not published details of the event through official press or advisory channels.
The company’s most recent public communications are a January 2026 growth announcement and a March 2026 press release celebrating its rise to number 17 on the Chartis Financial Crime and Compliance50 list. Neither addresses the FulcrumSec claims.
BreachNews will update this article if that changes.
