In 2012, a New Jersey man hacked in several accounting firms, stealing the tax forms and personal information of over a thousand clients. He used this information to file more than $6 million in fake tax returns. He also sold the pilfered data to other hackers on the dark web. He was eventually caught by the FBI, but the damage to these clients was done The accounting firms involved had to notify their customers that they had been breached and that they were the root cause of their tax fraud nightmares. These victims were also left to wonder what other attacks were waiting for them now that their data was in the hands of other malicious sources who had purchased their confidential information.
This incident is not unique. Incidents of hacking and cyber-breaches are on the rise across all industries and for companies of all sizes. Accounting firms face the standard cyber-risks that all industries with internet-facing systems are exposed to, but they also face unique risks based on the nature of their work and the data that they possess, as outlined herein.
Grid32, a cyber-security provider, has seen these issues first-hand. We have performed proactive security assessments and penetration tests for many forward-thinking accounting firms, and have been involved in cyber-breach incident responses for companies who have already fallen victim to malicious cyberattacks. This case study seeks to outline the issues we have found and bring further attention to both the gravity of this situation and the need for action by those organizations who are not fully cognizant of this risk or who falsely assume they are safe.
In performing our security assessments and tests, Grid32 has found that, almost uniformly, our clients in the Accounting Industry have had vulnerabilities in their systems that would allow malicious attackers to gain access to a dangerous set of data and access, including:
• Access to company records, including financials, partner compensation, payroll records, and employee social security numbers and confidential information.
• Access to client data, including financials, tax records, data files, and access credentials.
• Ability to access banking and financial accounts, transfer money out, and re-route inbound funds.
• Access to IT administrator accounts, allowing full control of networks and all resources.
• Access to user accounts, including emails, network access, and all assigned capabilities.
• Full control over networks, devices, phone systems, and security systems.
Having access to all of these items at once is obviously troubling and it could be severely damaging in the wrong hands. Damages could include financial losses, law suites, government-imposed fines, embarrassment, and job loss. All of this access and information was gained remotely, without our attack team ever setting foot in the facilities. Thankfully, we are trusted professionals and we were able to provide remediation steps to our clients to close the security gaps and limit the likelihood that these attacks would occur in the real world. Unfortunately, we are concerned that far too many organizations are not taking the proper steps to prevent similar attacks. The issue looks to only be getting worse as attackers recognize the pervasiveness of vulnerabilities and caches of valuable data in this industry.
UNIQUE FACTORS AFFECTING ACCOUNTING FIRMS
Besides the standard risks inherent to all industries with internet-facing systems, accounting firms faces additional threats due to the volume and types of data that they typically house. As seen in the previously mentioned example, hackers are heavily targeting tax information so that they can file fraudulent tax returns. In 2013, the IRS paid $5.8 billion out in fraudulent tax returns. In addition, they prevented a further $24.2 billion, making a total of $30 billion in fraudulent federal tax returns filed. There is a significant volume of fraudulent returns being filed at the state level as well, to such a degree that Turbo Tax had to temporarily stop processing state returns in 2015. The IRS and individual States are getting better at detecting and preventing tax fraud, but this is only increasing the volume of attempts. Whereas hackers used to try to file, for example, three returns for $10,000 each, for a payoff of $30,000, now they need to file thirty returns, for $5,000 each, to get a similar return. This need to file a larger number of returns means that the attackers need to gain access to large caches of tax-payer data. Accounting firms are a perfect source for this, putting them squarely in the crosshairs of a malicious underworld that is becoming increasingly more organized and sophisticated.
In addition to the threat brought on by tax fraud, hackers have learned that breaching an accounting firm can have a similar payoff to breaching scores of companies and individuals, since you not only get the firm’s data, but usually troves of data on their clients. Besides tax fraud, there is also typically data attackers can access to perpetuate other cyber-crimes. This includes banking credentials, which can be used to perpetuate another trending attack, wire transfer fraud. Other sensitive data that hackers may be after includes personally identifiable information, employee records, business plans, intellectual property, or access credentials for client networks and resources.
These factors make accounting firms a certain target for malicious attackers, and there is an absolute need for all accounting firms to take proactive steps to protect their data, and the data of their clients, from prying eyes. Breaches can expose accounting firms to the direct costs of damage, claims for damages from clients or third-parties, costs of compliance or fines from statues or regulations, and damage to their image and reputation.
Besides the obvious need for accounting firms to protect their own information and that of their clients, being savvy with cybersecurity is just good business. Clients depend on accounting firms for advisement on many topics, including cybersecurity. Letting clients know that a firm takes cybersecurity seriously, proactively addressing threats, can be part of the marketing pitch to help attract and retain clients. It can even create billable services, as many accounting firms offer cybersecurity services, including many that upsell Grid32’s services to their client-base.
WHAT CAN BE DONE?
There are a few basic steps accounting firms should be taking to help mitigate this risk:
1. Have an Information Security Committee that meets regularly and includes key personnel and staff from relevant departments.
2. Have a written Information Security Program, with documented policies and procedures, as well as risk analyses and contingency plans.
3. Have a Penetration Test performed annually by an independent security firm, and ensure the remediation steps that come from the test are actuated.
4. Train all staff on Cyber-Security Awareness.
5. Use strong and unique passwords and enable two-factor authentication whenever possible.
6. Encrypt data when transmitted and when stored, especially data that resides on mobile devices such as laptops.
7. Allocate the proper funds for cyber-security.
1 WHAT IS A PENETRATION TEST?
A Penetration Test is a security exercise where a team of highly-trained security experts attempt to hack into the client’s network in order to find security weaknesses. The intent is to discover ways that a real-world attacker might be able to compromise the systems. The highly-trained security team is careful not to cause any actual harm and a report is provided detailing all of the vulnerabilities and weaknesses found and recommending what needs to be done to fix them.
In-house I.T. staff are usually pressured to make things functional and easy-to-use, which diametrically oppose security. Also, it is difficult for an organization’s own IT staff to objectively look at their own systems from an outsider’s perspective. Just like a CFO needs a CPA firm to review their financials, senior IT leadership benefits from having a team of certified security experts independently test their system to give them valuable insight.