A colleague and C-level executive at Yahoo! had her identity stolen, a tax return filed, and a loan taken out – all in her name. She only found out after collectors began calling her because she wasn’t paying the loan. I can only imagine the hit her credit report took, which has tremendous repercussions in this day and age.
We often think of security breaches in terms of leaked credit card numbers, such as the cases involving large retailers whose point-of-sale systems have been hacked. So you might be surprised to learn that personal information, such as Social Security numbers, carries even more value on the black market. From a hacker’s point of view, why bother with a single credit card account when you can steal a person’s entire identity?
That appears to be the motivation behind a recent security breach at a CPA firm. Luckily, only a small number of their clients were affected by the information breach. But that’s small consolation to those affected individuals.
The incident was discovered when several of the firm’s clients became subject to fraudulent tax returns. The con artists filed fake income tax returns in their names, using their Social Security numbers and other sensitive information. Their motives were possibly to collect the victim’s tax refund directly, or to borrow against the refund via the “instant refund” offers promoted by some tax processing companies. Indeed, the phony returns were traced to a different CPA firm in Texas (no affiliation with the CPA firm from whom the breach originated).
A cybersecurity and forensics company was able to identify the source of the breach as a sophisticated phishing attack on the CPA’s cloud system. A limited number of clients were affected and had their personal information stolen. That information was then used to file the fraudulent returns in Texas.
After identifying the source of the breach, the CPA firm launched into damage control. All clients were notified of the breach, and new security measures were instituted, including:
● Adopting multi-factor authentication for the cloud environment
● Adopting multi-factor authentication for all software applications pertaining to client data
● Enrolling in a managed security program with an IT support firm
● Enrolling in an IRS program to prevent unauthorized returns from being filed for any of
the firm’s clients in the future
● Providing clients with complimentary identity theft protection
The firm is also considering a switch to a new tax return software vendor that can provide
additional security.
All appropriate steps were taken toward mitigating potential damage. But as they say, “an ounce of prevention is worth a pound of cure”. All companies that handle and store sensitive client data should regularly review data security protocol, and update those measures as appropriate.
Additionally, the time to develop a mitigation protocol is not in the aftermath of a breach. All companies handling sensitive data must have a plan in place before a breach occurs. Of course, the hope is that damage control is never needed. But in this day and age, it is better to be safe than sorry.
