Sunday, July 30, 2017

CPA Data Breach

By Greg Wright
Certified Fraud Examiner
Certified Financial Planner™

When your CPA is hacked, it could be the start of a nightmare, unlike any crime you may have experienced.  Weak Indiana data breach regulations do not help. 

CPA firms hold your most important financial information – everything needed to steal your identity and loot your financial assets. 

Some of the most important is your tax records, dependent information, addresses, dates of birth, employer, investment custodians, Social Security numbers, telephone number, email addresses, etc.  If the CPA also handles your investments and insurance, they will have your medical information.

CPA firm, Whitinger & Company, realized that they had suffered a data breach on April 12, 2017.  According to one of their clients, they waited until July 18, 2017, to notify him.  That gave the fraudsters over three months head start before the victim (the CPA’s clients) could defend themselves. 

The data breach also delayed the filing of this client’s taxes because Whitinger & Company computer was locked by the fraudsters just before they attempted a ransom demand.  Did Whitinger pay the ransom?  We do not know.

I’m helping a Whitinger client sort all this out. 

Below is a potential CPA ransomware sequence of events.  We do not know if this is what happened at Whitinger.  We have learned this hypothetical sequence from studying other data breach events and helping clients recover from identity theft.

  1. Fraudster hacks CPA.
  2. Information found on CPA’s computers is copied: tax returns, client correspondence, emails, firm's financial data, client investment data,  etc.  (many CPAs today sell insurance and investments.)
  3. Hackers analyze CPA’s data – they are looking for “whales” (high net worth, pension & large savings acts).  They can identify whales by sorting through a tax return and investment records. 
  4. Hacker also look for older account holders because they often have money and are easy prey.
  5. Hacker next decides to sell data on dark net or farm data themselves.  They have time to decide because the CPA victim firm most often is unaware that they have been hacked.
  6. If the hackers decide to farm the data, they often send Whales & older targets email with an infected attachment.  They can use the CPA email system or clone one that looks exactly like the CPA’s email.
  7.  Once received, the unsuspecting clients click on the link assumed to have been sent them by their trusted CPA and Infect their computers.  The hacker wants access to the passwords you keep on your computer.
  8. The hackers next step loot investment accounts.  The victim often cannot connect their loss with the CPA’s being hacked.
  9. Whale & other victims cannot prove the cause of their loss.  It could have been caused by their own weak security and stupidity. 
  10. The hackers then lock CPA computer. This prevents the CPA from processing tax returns and conduct business.
  11. The hackers send the CPA a ransomware demand.  They are unaware they have a problem until their computer is locked down and they receive a ransom demand.  Do they pay or try to restore their system with outside help? 
  12. If they pay, the fraudsters collect ransomware and unlock CPA.  As part of the deal, CPA agrees to be a reference to other victims and maybe even suggest other CPAs that might have weak security.
  13. By the time the CPA clients have received the legally required notice, the damage may have already been done. 

We do not know if any of these steps were taken against Whitinger & company clients.  All we have is the report of the breach, a copy of the letter about the breach from Whitinger to its clients, and the frustration and concern of one of their clients.  

Here is a summary report of the breach from my reporting service:

CPA firms are not regulated under cyber compliance umbrella laws such as HIPAA, PCI, etc. Therefore, they have a lower legal requirement to protect their client’s data.  Indiana breach regulations are relatively weak, and the fines are small.  Affected clients deserve more.


1 comment:

  1. It appears that one should not put all their eggs in one basket. Oh myyyyyyyy!