Even when a cyber incident is detected, the full consequences of the intrusion may not make themselves felt until much later, as evidenced by an accounting firm that learned this lesson the hard way.
Our story begins with a managing partner at a regional accounting firm specializing in audits. One day, a staff member called him and asked whether he really was requesting that she download a file from a linked hosting service. He had not, and so they alerted the firm's outsourced IT vendor to look into the matter.
The vendor ran a scan of the system and found no viruses or other threats. All normal there. But something else was very curious. Whenever the managing partner logged into his email system from the remote network or a local server, all was well. But if he logged into the same account via the web, suddenly there was a rule set up about its file-sharing service that he was sure he did not make himself. When he tried to log into the account's file-sharing service, it failed. Eventually the vendor was able to reset his password and delete the rule. Afterward, they set up a dual authentication process for the account. Other staff followed his lead and also set up dual authentication for their accounts.
Lesson learned and crisis averted, right? No. Ten months later, the firm determined there had been a privacy breach involving 19,000 individuals. Investigators needed to undertake the arduous process of pulling thousands of items to identify the population of those potentially impacted, so they could determine who to send breach-notification letters to.
The analysis eventually revealed that virtually all the compromised data was connected to a single audit client; the eight files involving the client dated back to between 2009 and 2011. This included a large spreadsheet with people's names and personally identifiable information. What seemed to have happened was that old emails with this data had been left unencrypted in an account, meaning they were available for any hacker to access. This was at least partially due to the firm not having a policy regarding the retention of sensitive emails.
Ultimately, though the firm notified all the individuals potentially impacted by this breach, the damage had already been done. Which was why, a short time later, the firm was served with a class-action lawsuit from those whose personal, confidential information was leaked.
This real-life example was provided to us by professional liability insurer Camico, which had this to say about the situation:
"The dated, sensitive information should have been protected and secured, and then later carefully destroyed. The responsibility falls on the CPA firm, as their email account containing unencrypted, PII data needed to be safeguarded. Email accounts that have been compromised allow hackers to put rules on the account and send purported messages — such as from a CPA firm — asking for money or to click on a harmful link."
"Security such as authentication is critical for company accounts, only permitting authenticated users to gain access to protected resources," the insurer warned. "Email retention policies are vital for a firm — or any business — to save space on your email server and stay in compliance with federal and industry record-keeping regulations. Retaining emails for a longer amount of time than necessary exposes a company to security and legal risks and can compromise data assets."
The resolution of the lawsuit is uncertain at this time.