Heier Weisbrot & Bernstein (HW&B), an accounting firm based in Gibbsboro, New Jersey, has reported a data breach that went beyond simple data snooping. The unauthorised individuals gained access to the firm's tax software and attempted to file fraudulent tax returns on behalf of clients.
In a consumer notification filed with the Attorney General of Maine on 7 August, HW&B revealed that on 27 June 2024, they detected an attempt to submit fraudulent tax returns for a limited number of their clients. The firm swiftly reported the incident to the IRS and worked collaboratively to prevent the processing of any further fraudulent returns.
The investigation, conducted with the assistance of a third-party cybersecurity firm, uncovered that the unauthorised actor accessed HW&B's tax software between 22 and 26 June 2024. The accessible files contained sensitive personal information for seven Maine residents, including names, Social Security numbers, driver's license numbers, and financial account details for direct deposit of tax refunds. While the investigation could not definitively determine if the information was actually accessed or acquired, HW&B concluded their analysis of the compromised data on 29 July 2024.
As a precautionary measure, HW&B is offering affected individuals one year of identity monitoring services through IDX, which includes credit and CyberScan monitoring, a £800,000 insurance reimbursement policy, and managed identity theft recovery services. The firm strongly encourages recipients to enroll in the IRS' Identity Protection PIN (IP PIN) programme and provided a link to the IRS website for registration.
In their statement, HW&B expressed regret for any inconvenience caused by the breach and assured clients they are taking steps to strengthen their system security to prevent similar incidents in the future.
This recent incident follows a string of data breaches affecting major accounting firms, including EY and PwC. As businesses increasingly rely on digital solutions for managing sensitive information, the need for robust cybersecurity measures becomes paramount. The HW&B case serves as a stark reminder of the potential consequences of inadequate security protocols and the importance of proactive measures to protect sensitive data.