IMA Diligence Services Discloses Data Breach After Ransomware Group Claims 700GB Leak

WICHITA, Kan. — IMA Diligence Services, LLC, a financial advisory firm specializing in transaction support, disclosed a significant data breach on May 29, 2026, that exposed personal information stored on a third-party server. The incident, which the company says occurred in December 2025, has affected an undisclosed number of individuals and has already triggered a federal class-action lawsuit and multiple independent law firm investigations. Breaches at firms handling sensitive M&A and investment data are particularly alarming, as the compromised information can extend far beyond personal identity to include confidential corporate strategy and financials. According to a notification letter sent to affected individuals, IMA Diligence learned on or around December 16, 2025, that certain files on a legacy server were inaccessible. An investigation determined that an unauthorized actor had gained access to the server between December 8 and December 16, 2025, and acquired files. The company, which provides financial due diligence services to private equity firms, lenders, and corporations, did not specify what types of personal information were compromised. A significant discrepancy has emerged in the timeline of events. While IMA Diligence states in legal filings that it discovered the breach on May 4, 2026, the Genesis ransomware group publicly claimed responsibility for an attack on January 27, 2026, alleging it had exfiltrated approximately 700GB of data, according to reporting cited by Almeida Law Group. This places the hackers’ public claim more than three months before the company’s official discovery date and nearly five months before it began notifying consumers. The compromised data was located on what the company’s notice described as a “legacy server managed by a third-party, which is now decommissioned and no longer in use.” In response to the incident, IMA Diligence is offering affected individuals 12 months of complimentary credit monitoring and identity restoration services through TransUnion. The reliance on a “legacy server managed by a third-party” highlights a critical vulnerability for many businesses. In our experience, third-party risk is one of the most overlooked aspects of corporate security. Companies often conduct extensive due diligence on acquisition targets but fail to apply the same rigor to their own technology vendors and data processors. A vendor's outdated infrastructure becomes your liability. This incident serves as a stark reminder that comprehensive financial risk management must include a thorough and ongoing assessment of the entire supply chain, especially partners with access to sensitive client or corporate data. We work with clients to build frameworks for just this kind of vendor oversight. For businesses looking to strengthen their operational resilience and manage third-party risks, C&S Finance Group LLC at csfinancegroup.com provides guidance on establishing robust vetting and monitoring protocols. The fallout from the breach has been immediate. A federal class-action lawsuit, Roberts v. Redridge Diligence Services LLC d/b/a IMA Diligence Services et al, has been filed in the U.S. District Court for the Northern District of Illinois. The lawsuit accuses the company of negligence in failing to adequately protect sensitive information. In addition, multiple law firms, including Murphy Law Firm, have publicly announced investigations into legal claims on behalf of victims. IMA Diligence Services, formerly known as RedRidge Diligence Services, is a division of the IMA Financial Group. This is not the parent company’s first cybersecurity incident; IMA Financial Group reported a separate, smaller data breach in October 2022 that affected 941 individuals, according to public filings. The nature of IMA’s business raises the stakes of the breach considerably. Due diligence investigations for mergers, acquisitions, and lending require access to highly confidential information, including non-public financial statements, strategic plans, intellectual property details, and personal data of key executives from companies involved in transactions. The exposure of such information could jeopardize active deals, reveal confidential M&A strategies to competitors, and create significant secondary risks for IMA's corporate clients. The reputational damage and legal costs from such an event can be extensive and long-lasting, underscoring the necessity of proactive, not reactive, security and compliance measures. Moving forward, the key developments to watch will be the progression of the class-action lawsuit and any further disclosures from IMA Diligence regarding the specific data types compromised and the total number of individuals affected. Regulatory bodies may also take an interest, particularly given the lengthy delay between the intrusion, the public claim by hackers, and the company's official notification to consumers.