It seems like every other day we’re seeing a new story about an accounting firm that’s suffered a data breach. Just the other day, CBIZ revealed bad actors exploited a vulnerability on one of its web pages and acquired information from retiree health and welfare plan databases including Social Security numbers. They did not report the number of total affected individuals.
The most recent incident was the second time SS numbers were stolen from CBIZ (that we know of), the first being last year’s MOVEiT breach that affected EY and PwC as well.
On September 19, a tiny little firm in Louisiana called Wright, Moore, DeHart, Dupuis & Hutchinson, LLC informed 127,431 people that their personal data including first and last name, Social Security number, driver’s license number, financial account number, passport number, and medical/treatment information may have been accessed by unauthorized explorers digging through their systems. The “what happened” section of the data breach notification doesn’t give many details, only that the firm noticed “unusual network activity” on or around July 11 of last year. The notification filed with the Maine Attorney General states the breach was discovered on September 10, 2024 but the firm said in the notification that an independent review into what data had been compromised was completed on July 18, 2024.
This is what they said:
On or around July 11, 2023, WMDDH became aware of unusual network activity and immediately took steps to secure our systems. We launched an investigation with the assistance of leading cybersecurity experts to determine what happened and whether sensitive or personal information may have been affected during the incident. As a result of the investigation, we identified that certain WMDDH data may have been acquired without authorization. WMDDH then engaged an independent team to conduct a comprehensive review of all potentially affected data, and on May 8, 2024, that review determined that your personal information may have been affected. WMDDH then worked diligently to identify contact information to effectuate notification and prepare the services being offered to affected individuals, as provided in more detail below. This process was completed on July 18, 2024.
Why does an accounting firm with 55 people working there (including partners and support staff) have Social Security numbers, driver’s license numbers, financial account numbers, passport numbers, and medical/treatment information data for nearly 130,000 people? It doesn’t say. But really makes you think about who has your data and what they’re doing to protect it.
Law firms are already promoting a potential class action suit.
Earlier:
Why does a firm with 55 people have SSNs on 130,000 people was my first question too. But then it occurred to me that maybe they audit a pension plan for a business customer, or maybe they provide payroll services. That could account for it. Surely they didn’t get that many SSNs from doing regular tax returns.
Its possible they audit employee benefit plans. The data provided to firms during an audit of an EBP can include PII of tens of thousands of participants and employees of the plan sponsor. And even small firms can perform dozens or hundreds of EBP audits.