An Inside Look at Tax Office Data Theft

Intuit® ProConnect™ recently hosted a webinar featuring an owner of a tax and accounting firm who had been the victim of a remote access data theft. The firm owner, who used the alias “Tom” to maintain anonymity, shared in detail the painful journey his firm experienced.

Tom’s firm was like many tax offices. Tom has a staff of three CPAs, six non-professionals, and about 650 clients. The firm’s service offerings include audits, compilations, bookkeeping, payroll, taxes and QuickBooks® consulting. Tom’s firm had been in practice more than 20 years. And like most firms, Tom believed his network and data were secure from cyber criminals.

“We had an IT professional on call,” Tom said. “Our password strength was ‘fair,’ and we did not have a requirement to change passwords. We ran a good anti-virus program. We had a firewall in place. I thought since the anti-virus program caught viruses sometimes and quarantined it, it was working. I had a false sense of security.”

With the benefit of hindsight, Tom recognizes some gaps in the previous security plan. “We were running a deep scan with our anti-virus program weekly. In retrospect, we should have been running it daily [on each machine], because then it would have caught the bad guys. The system did discover the bad guys after the event.”

The firm now understands the value of a strong password program. Tom said, “We rarely changed passwords. Like every five years. And worse, we used the same passwords on multiple machines and applications, which is a no-no.”

The failure to require users to regularly change passwords was a security hole. Criminals often rely on old lists of username-password combinations that they test against applications to gain access. Changing passwords regularly and using random, unique, strong passwords can help prevent access by those criminals testing lists for access.

The network was also configured to allow remote access by Tom and another professional in the office. “We had a computer at the house where we worked from time to time,” Tom said. “And then we used the remote access with a passcode to access the network. In retrospect, it was a simple passcode. Unfortunately, all our old passcodes were simple compared to current ones.” Symantec reports that more than 50 percent of remote access data thefts use Remote Desktop Protocol to get access, while utilizing other remote access applications the rest of the time.

“We would typically review our procedures [annually] when the licenses came due or if there was a problem, but there was not a normal routine to review our procedures to see if they were working adequately,” Tom shared. “And we did not have a written security plan – just a general understanding with our IT person. We were not really concerned about it.”

The firm first noticed a problem in August 2016, when it identified e-file acknowledgements for returns that it did not file. The firm immediately contacted support to investigate.

“[The Intuit support team] sent us to a special [fraud] team, who helped us realize there might have been a cyber-attack and we need to investigate. [Intuit] had a special team that could run reports that were very helpful for us to get our arms around the problem. They were a great help.” The support team engaged Tom with the fraud team, who helped the firm identify that about 45 unauthorized returns had been changed and e-filed.

Once Tom’s firm understood it had been a victim of remote access data theft, and unauthorized returns had been e-filed from the office, the firm took action to mitigate the damage. “[The Intuit support] team emailed me a list of things to do. One of the first things was that since someone was using our EFIN number, we immediately called the IRS and changed our EFIN number. That stopped returns from being filed by the bad guys. “Unfortunately, I entered the new EFIN on my computer, not aware that the bad guy was still in my computer.” 

That led Tom to engage his IT pro to run deep scans and identify that two workstations were infected, secure the network, then request a second EFIN from IRS that was not compromised.

On the fraudulently changed and e-filed returns, Tom said, “My staff noticed that the refunds were directed to a single bank routing number. They had already set up accounts for these clients using refund transfers. The IRS refunds were all between $9,000 and $10,000.” Tom’s firm immediately contacted IRS and the states to alert them to potential fraudulent refunds.

Fortunately, Tom’s firm had data theft protection insurance, which helped engage a forensic IT firm to locate the source of the cyber-attack, coordinate with law enforcement, and notify the appropriate agencies and clients as required by law. The firm only had about 650 clients, but had to send many more notifications about the disclosure. “Unfortunately, we had been in business for 20 years, and we stored all our information on computers instead of taking it off. And we did W-2 payrolls. So we had to list everyone with a social security with the last known address to send notices. The 650 clients ballooned up to over 3,000.”

Tom and his staff then called every client to discuss the event. Tom said, “We paid for one year of [identity theft] coverage for all our clients with AllClear ID.” Tom recommends all firms add data theft insurance coverage to their professional liability insurance.

When asked what he would say to other firms to help prevent becoming victims of cyber theft, Tom offered the following advice:

• You need a good IT security professional and a good antivirus system, use strong passwords, change passwords quarterly, use firewalls, obtain cyber-insurance coverage, and remove old data.
• Run deep searches [by anti-virus software] every day, on every workstation.
• We have a cyber-specialist guy who [monitors our logs], and bells go off if employees go to bad locations, or there is a problem, 24/7.
• We use upper, lower case and special characters in strong passwords. We change those strong passwords for network access and email access every quarter.
• We do [remote access] differently now. Laptops are encrypted and they use a [VPN] tunnel to get into the network.
• After three or four years, take the data off your server so that it is not accessible.
• On our prior year [tax return] files, we put a passcode on all our returns. The criminals go in quick, get what they can, and get out. They don’t have time to break a code on each client.

For more information, check out free training courses from Intuit ProConnect to help educate firms about safeguarding taxpayer data, or visit the IRS’ “Protect Your Clients; Protect Yourself” website.

Comments are closed.