Frank thought he was doing everything right. But when his business suffered a devastating data breach, he learned the hard way that it wasn’t just his data at risk—it was his hard-earned business reputation.
Frank’s Story
Frank spent over a decade building his accounting practice from the ground up. He and his wife, Elsa, worked tirelessly to ensure each client felt they were a priority. His mission was to provide good-quality accounting and excellent customer service.
His success was apparent. He now had 2 locations and over a dozen employees on his team. If you asked someone for a referral for a good accountant, Franks’s name was at the top of everyone’s list.
Frank thought he was doing everything correctly. He adhered to IRS guidelines, had the latest technology, processed and stored returns digitally, e-filed returns, and had no paper storage of files, which allowed his team to work efficiently regardless of which office they worked from.
It took just one day to ruin his Business Reputation.
What Frank didn’t know, what Frank couldn’t have known, is he had hidden vulnerabilities that would soon suffer a data breach that would put his business at risk and his business reputation in jeopardy.
It was a busy January day as the team was getting things ready to prepare dozens of tax returns. At this time of the year, everyone is multitasking. Sue Ann, the Office Manager, received an email. The email came from the practice management software vendor. It appeared urgent; it requested that Sue Ann change her login credentials due to a security issue. She clicked on the link in the email and entered her login details.
The Start of the Data Breach:
Cybercriminals are becoming more sophisticated. They are developing new ways to trick an end user into falling for phishing scams. Security awareness training trains users to spot phishing attempts, ask questions, and help deter social engineering.
If Sue Ann had the proper training, she may have noticed something off about the email.
The criminals now had administrative controls over the cloud-based practice management software. Over the decade that Frank has been in business, he has seen hundreds of companies and individuals with thousands of records in their practice software. The type of information in their databases included
- Names and Addresses
- Social Security and EINs
- Bank Account and Routing Numbers
It also included the firm’s banking, EIN, and credentials for submitting returns.
The Aftermath: A Business Reputation at Risk
It was almost midway through the “tax season” when clients started to call Frank’s office about not receiving their tax refunds. Getting a few calls during the season was customary, but the volume of calls was extraordinary. Clients also reported unauthorized access to their bank accounts and identity theft incidents. At the same time, Frank noticed some odd things going on with their bank accounts. That is when he suspected a data breach!
Incidence Response
Realizing that something was not right, Frank reached out to Underdog Cyber Defense. He explained what was happening, and we began our investigation. We determined the event’s root cause and the breach’s extent. The phishing email was not the beginning of the security breach. It turned out that the cybercriminals had been in the email system much longer than initially thought. After all, they determined that Sue Ann was the correct person to target and what software to use. How do you think they knew that?
Actual Root Cause of the Data Breach
Earlier, we mentioned that Frank had hidden vulnerabilities. Because the practice was all digital, Frank’s team could work from home.
- They used their home computers, which did not have adequate protection.
- They had weak passwords and did not use MFA for anything.
- Their email system did not have advanced protections.
- They had outdated software running on their home computers.
- They had an IT provider that was not actively monitoring and patching vulnerabilities.
So, sometime around August of the year prior, Mike, one of the employees, was working from. Mike checked his email and clicked on a phishing email. The email downloaded malware executable to Mike’s computer. Once the malware executed, it downloaded a keylogger and remote control software on Mike’s computer. At this point, it started reporting all the keystrokes to a control server.
Furthering the attack
The cybercriminals could access Mike’s email and review all messages going in and out. They could then “look” around how the organization was set up. They still needed the correct permissions to see all messages going in and out of the mail system. So, they ran internal phishing scams on the employees to find someone with admin access to the system.
Finally, they sent a phishing email to Frank. Once they got Frank’s credentials, they created rules and permissions, allowing them to “insert” themselves into the conversation while remaining hidden.
They learned more about Frank’s company and where the interesting data is kept. This was where they learned of the practice management software and, through careful monitoring, that Sue Ann was the admin of that software.
Conclusion of the Data Breach and the Aftermath
After concluding the investigation, Frank had to notify his employees, clients, and the government of his breach. Frank’s problems only began.
- He faces fines and litigation for not having the proper cyber protection.
- He faced a financial loss to his business due to the Incident Response, Breach Notification, and Monitoring he needed to do.
- He faces a loss in business as he notifies his clients.
- They are either taking their business elsewhere.
- They are no longer referring to Frank’s business.
- They are telling people what happened.
Over a dozen families directly relied on Frank’s business, which is also in jeopardy.
Concerned?
How protected is your business? Give us a call today 570-243-9205 or book an appointment to have a candid conversation.