Lessons from a CPA whose firm delivered a ‘textbook response’ to data breach

A click on a link in an email that could have brought down Catharine Drake Madeley’s CPA firm instead caused 40 clients whose tax information was exposed in a data breach to think of her and her staff even more as trusted advisers.

But before that could happen, Madeley, the owner of Salling Madeley PLLC in Austin, Texas, endured what she described as “one of the hardest things I went through in my professional career.”

Last week at AICPA & CIMA ENGAGE 25, Madeley discussed how hackers gained access to some of her firm’s client data. Joining her for the session on data security was Terry Lemons, a retired IRS communications and liaison chief, who said prevention is the most important aspect of IT security but that a quick response to a breach is crucial as well.

A common question from CPAs to the IRS when their data is breached is, “Do I have to tell my clients?” Lemons said. “That is the biggest hesitancy. Tax pros are afraid if the word gets out they had a data breach, their business is ruined. Catharine’s story shows it is not. There’s a path forward on this.”

The data breach

Madeley wasn’t seeing that path on Sept. 13, 2022, when she realized that hackers had gained access to a portal at the firm. Earlier in the month, a part-time employee received an email that appeared to come from Microsoft saying her password was about to expire. “Click here to keep using your password,” it said.

“And she clicked on it, and she entered her password, and, poof, like magic, they had access to her email account,” Madeley said. “And they got into her email account and started looking around and figured out what portal we use to exchange data with our clients. And they went over to that portal, and they clicked on the button that said, ‘forgot password.’ That sent an email to the email address that they now have access to for them to reset her password.”

The firm had multifactor authentication, but the only option was to send a confirmation code to the employee’s email address. And the hackers had access to that email, which meant they also had access to the verification code.

The response

When her office manager told her that a client had uploaded information for a part-time employee, Madeley was confused because the employee was not working with that client.

Silent shock engulfed Madeley and the office manager as they realized what was happening. Madeley called the firm’s IT company, and the office manager called the employee. Within 15 minutes, the employee’s access to everything was cut off. “If there was an entry point with her name on it, it was shut down,” Madeley said.

Even though hackers had begun taking data for two days before discovery, that quick response was imperative, Lemons said.

“Many tax professionals that have a data breach and come into the IRS, you know what they do? They freeze up,” he said. “They don’t know what to do. And basically, it can take days before they start shutting things down, which is hard to believe. She really delivered that great rapid response with this. And that’s really important.”

From there, Madeley was in a whirlwind of phone calls and meetings with IT, the insurance company, the tax software provider, state and local authorities, and the IRS.

The steps she took were driven by considering the worst-case scenario.

For example, the hackers had Madeley’s preparer tax identification number and her electronic filing identification number, which would enable them to submit fake returns through a different software provider. Madeley logged in to her IRS Tax Pro Account to check whether returns with those numbers had been submitted.

“Remember,” she said, “we’re vulnerable from multiple points of attack at this point.”

The investigation lasted more than 90 days, ending Dec. 17. The end of a data breach investigation was, under Texas law at the time, when the 60-day period to notify clients began, Madeley said.

The client notifications

But Madeley had started that notification process on Day One because she was certain that the data of 40 clients had been exposed, and she knew the hackers had looked at those clients’ Forms W-2 with estimated tax payment deposits in the hundreds of thousands of dollars.

She had one-on-one conversations with most of those clients; others she couldn’t reach got emails.

“To a person, not one of them got mad at us, not one of them raised their voices, not one of them cried,” she said. “We helped them get their ID.me accounts, set up their IRS taxpayer accounts, get their IP PINs [identity protection personal identification numbers]. We helped them protect their credit. We talked to them about the importance of checking their bank accounts regularly for a bit. We became more trusted advisers. We addressed it promptly and honestly, and they didn’t blame us. We didn’t lose a single client in this process.”

Madeley’s handling of the breach “is a textbook response on how you need to do it,” Lemons said. “I mean, number one, prevention is the most important step. But if it hits you: isolate and speed — contain it. And for me, this is what makes her story so powerful because she got it locked down. … A lot of firms are not so lucky.”

CPAs as targets

Before the breach, Madeley thought her 200-client firm was too small to attract the attention of identity thieves. But any firm is a potential target because CPAs are “sitting on a treasure trove of information,” Lemons said. “You guys are vulnerable. … They’re coming to get you, essentially.”

With the IRS having a two-year wait to resolve identity theft cases, it’s especially important to take steps to avoid data breaches, Lemons said. He and Madeley recommended ways to minimize the potential for breaches and how to be in the best position if one occurs:

• Make sure your written information security plan (WISP) is robust and updated, Madeley said. For example, has your firm added a chat feature? If so, that needs to be added to a WISP. “It needs to be constantly evolving with you,” she said.

• Have an IP PIN, which is a six-digit number that prevents someone else from filing a tax return using your Social Security number or individual taxpayer identification number because it’s known only to the taxpayer and the IRS. Some consider IP PINs to be inconvenient, but “they are a silver bullet to protect against identity theft,” Lemons said.

• When a breach occurs, contact the IRS stakeholder liaison for your state, Madeley said. That person will help you confirm for the IRS that a submitted return is not coming from an identity thief, she said.

— To comment on this article or to suggest an idea for another article, contact Martha Waggoner at Martha.Waggoner@aicpa-cima.com.