Sunday, July 30, 2017

CPA Data Breach


By Greg Wright
MBA, CFE, CFP®, CLU, ChFC
Certified Fraud Examiner
Certified Financial Planner™

When your CPA is hacked, it could be the start of a nightmare, unlike any crime you may have experienced.  Weak Indiana data breach regulations do not help. 

CPA firms hold your most important financial information – everything needed to steal your identity and loot your financial assets. 

Some of the most important is your tax records, dependent information, addresses, dates of birth, employer, investment custodians, Social Security numbers, telephone number, email addresses, etc.  If the CPA also handles your investments and insurance, they will have your medical information.

CPA firm, Whitinger & Company, realized that they had suffered a data breach on April 12, 2017.  According to one of their clients, they waited until July 18, 2017, to notify him.  That gave the fraudsters over three months head start before the victim (the CPA’s clients) could defend themselves. 


The data breach also delayed the filing of this client’s taxes because Whitinger & Company computer was locked by the fraudsters just before they attempted a ransom demand.  Did Whitinger pay the ransom?  We do not know.

I’m helping a Whitinger client sort all this out. 

Below is a potential CPA ransomware sequence of events.  We do not know if this is what happened at Whitinger.  We have learned this hypothetical sequence from studying other data breach events and helping clients recover from identity theft.

  1. Fraudster hacks CPA.
  2. Information found on CPA’s computers is copied: tax returns, client correspondence, emails, firm's financial data, client investment data,  etc.  (many CPAs today sell insurance and investments.)
  3. Hackers analyze CPA’s data – they are looking for “whales” (high net worth, pension & large savings acts).  They can identify whales by sorting through a tax return and investment records. 
  4. Hacker also look for older account holders because they often have money and are easy prey.
  5. Hacker next decides to sell data on dark net or farm data themselves.  They have time to decide because the CPA victim firm most often is unaware that they have been hacked.
  6. If the hackers decide to farm the data, they often send Whales & older targets email with an infected attachment.  They can use the CPA email system or clone one that looks exactly like the CPA’s email.
  7.  Once received, the unsuspecting clients click on the link assumed to have been sent them by their trusted CPA and Infect their computers.  The hacker wants access to the passwords you keep on your computer.
  8. The hackers next step loot investment accounts.  The victim often cannot connect their loss with the CPA’s being hacked.
  9. Whale & other victims cannot prove the cause of their loss.  It could have been caused by their own weak security and stupidity. 
  10. The hackers then lock CPA computer. This prevents the CPA from processing tax returns and conduct business.
  11. The hackers send the CPA a ransomware demand.  They are unaware they have a problem until their computer is locked down and they receive a ransom demand.  Do they pay or try to restore their system with outside help? 
  12. If they pay, the fraudsters collect ransomware and unlock CPA.  As part of the deal, CPA agrees to be a reference to other victims and maybe even suggest other CPAs that might have weak security.
  13. By the time the CPA clients have received the legally required notice, the damage may have already been done. 

We do not know if any of these steps were taken against Whitinger & company clients.  All we have is the report of the breach, a copy of the letter about the breach from Whitinger to its clients, and the frustration and concern of one of their clients.  

Here is a summary report of the breach from my reporting service:











CPA firms are not regulated under cyber compliance umbrella laws such as HIPAA, PCI, etc. Therefore, they have a lower legal requirement to protect their client’s data.  Indiana breach regulations are relatively weak, and the fines are small.  Affected clients deserve more.

-30-

Wednesday, July 5, 2017

You’ve Been Hacked Red Flags

By Greg Wright
MBA, CFE, CFP®, CLU, ChFC
Certified Fraud Examiner
Certified Financial Planner™

Sometimes it takes years – yes years – to realize that you have been hacked and your identity is being used without your permission.  This is especially true with the most insidious form of ID theft: “synthetic identity theft.”  One-third of Social Security numbers are being used by more than one person. 

As you read this, your Social Security number may be used illegally by another person and you do not realize it. 

 Here is a short list of ID theft red flags:


  •  No mail in your mail box for two or more regular delivery days
  • ·       You are having problems with a spouse or member of your household
  • ·        You are a victim of domestic violence, stalking or cyber bullying
  • ·        You receive notice that you have changed your address
  • ·        Someone close to you had their ID stolen
  • ·        Errors on your medical “explanation of benefits” (EOBs)
  • ·        A vendor you do business with has a data breach
  • ·        Suspicious mail arrives for your minor child
  • ·        Bogus charges on your credit card or bank statement
  • ·        Errors in your credit file
  • ·        You’ve been traveling – especially in another country
  • ·        Collection notices arrive
  • ·        Credit cards arrive that you did not order
  • ·        Strange credit card statement arrives in the mail

The weakest link in your identity security is your smart phone.  Also, most businesses provide more security for their toilet paper than your personal identifiable information. 


If your group needs someone to speak about these issues and how to reduce the risk of identity theft, contact me.  

-30-