*Previously known as War Stories
Topic: Phishing, Social Engineering Scheme
Services: Auditing
Steve Ryckman, managing partner of Ryckman-Harris & Associates, is alerted one day after receiving a call from a firm employee who asked if he requested to share a file with her (via email) from a file hosting service. Because he hadn’t, the firm’s IT department advised Ryckman to contact the firm’s outsourced IT network vendor to look into the suspicious activity.
Ryckman’s firm is on a hosted network that requires a dual authentication. The IT vendor ran a scan and found no viruses or threats. However, when looking into Ryckman’s email account — although Ryckman didn’t notice anything when he logged into Microsoft Outlook from the remote network or local server, when he logged into his Microsoft 365 account through a web browser, something did stand out. He noticed that a rule had been set up about the file sharing service account that was created. Ryckman hadn’t created the rule and his attempts to log in to his file sharing account failed.
Ryckman requested a password reset and the IT vendor deleted the rule and set up a dual authentication process for the account. After the incident, other staff at the firm who also had accounts from the same file sharing service took the same action. Ryckman’s firm didn’t have a dual authentication process set up for their Microsoft 365 accounts and therefore instructed staff to do so.
Roughly 10 months later, the firm determined there may have been a privacy breach involving 19,000 individuals. The firm’s insurer, Nixta, handled the cyber matter and ordered that a forensic analysis be conducted to determine what the hacker could have access to. A further analysis was performed on the thousands of items pulled to identity the population of individuals potentially impacted and whom to send notification letters. It was a time-consuming process — to determine the extent of the breach — as they had to conduct multiple searches due to some data being old and needing to perform due diligence to ensure they had the correct number and individuals potentially impacted.
When the extensive list of names was produced, it was determined about 90% of them were tied to eight files for an audit client of Ryckman’s firm. The compromised data that was sent to the firm was from 2009-2011. Ryckman’s firm didn’t have an email retention policy and the old emails (password- protected emails came out well after 2012) were saved in a Microsoft Office 365 account, leaving the files unencrypted and available for hackers to access. The firm’s client had sent a large spreadsheet that included patients’ names and Personal Identifiable Information (PII) of medical equipment patients had rented from the medical supplier client of Ryckman-Harris & Associates. Although the firm notified all the individuals potentially impacted by the breach, the damage was done, and they were soon served with a class action lawsuit from one of the individuals whose personal, confidential information was leaked.
Select the answer that is the best response.
1. What mistake(s) did the CPA firm make to which created the liability exposure?
- Not securing and encrypting all confidential information sent to the firm.
- Not having a retention policy for company emails (including ones that contain sensitive files, data).
- Not securing all company accounts (such as email) with password protection and authentication, that requires distinct forms of identification for access.
- All the above.
2. What is true about this case for CPA firms to note?
- The plaintiff was a client who previously worked in the firm’s IT department.
- The plaintiff was a non-client who filed litigation without contacting the firm first.
- The plaintiff was a non-client who reached out to the firm before filing a lawsuit.
- The plaintiff was a client who initially notified the firm on the potential breach.
Correct Answers:
1. d.
The dated, sensitive information should have been protected and secured, and then later carefully destroyed. The responsibility falls on the CPA firm, as their email account containing unencrypted, PII data needed to be safeguarded. Email accounts that have been compromised allow hackers to put rules on the account and send purported messages — such as from a CPA firm — asking for money or to click on a harmful link. Security such as authentication is critical for company accounts, only permitting authenticated users to gain access to protected resources. Email retention policies are vital for a firm — or any business — to save space on your email server and stay in compliance with federal and industry record-keeping regulations. Retaining emails for a longer amount of time than necessary exposes a company to security and legal risks and can compromise data assets.
2. b.
The plaintiff was a patient of the CPA firm’s audit client (a non-client of the firm) who instead of contacting the CPA firm when they were notified on the breach, filed a lawsuit.
The “Claim Chronicles” are drawn from CAMICO claims files and illustrate some of the dangers and pitfalls in the accounting profession. All names were changed.