Skip to content

Gustafson & Co data breach stresses on importance of cybersecurity for CPAs

Due to the rise of technology and the digital transformation that occurred before and after COVID-19 hit the world, many CPA firms have been faced with increasing levels of cybersecurity threats. There were also some noteworthy cybersecurity incidents. One significant example was the data breach of the public accounting firm, Gustafson & Company.

On January 28, 2020, the IT vendor of Portland-based accounting firm Gustafson & Company detected a potential threat. The vendor then removed it, took the machine offline, and wiped it before reinstalling it. In February 2020, Gustafson learned that three clients had fraudulent 2019 tax returns filed. On March 5, 2020, Gustafson learned that five additional clients had fraudulent 2019 tax returns filed.

At that time, Gustafson called their insurance company and hired a forensic investigation firm. That firm identified additional evidence that the January review failed to uncover. These were:

  • From at least January 22, 2020, through January-28, 2020, the threat actor had used the remote access trojan to access some of the 2018 client tax return files contained on Gustafson’s network share drive.
  • Because of the nature of the remote access trojan, the threat actor was able to decrypt the files on the shared drive.

Months later the firm later notified 2,207 consumers that their information was potentially accessed and acquired by the threat actor.

Gustafson & Co later provided consumers with credit monitoring and resolution services at no charge to them, even though they were potentially affected by an incident involving identity theft. The cost of providing this to clients was likely in the hundreds of thousands of dollars.

In the aftermath of the attack, the company was fined $50,000 for failing to disclose the data breach.  The Oregon Department of Justice noted that Gustafson violated various consumer protection laws by failing to prevent and timely respond to a data breach. Added to that the company also failed to notify timely consumers.

The cyber incident at Gustafson & Company is one of the prime examples of why cyber-attacks against CPA firms can have dire consequences.

Cyberthreats have over the years threatened the financial stability and profitability of CPA firms. CPAs, being able to handle the sensitive information of clients, and having the proper security measures in place to prevent a breach from happening are of now a necessity.

Another aspect that most CPAs must keep in mind is that although it’s commonly reported that large companies get attacked by hackers, most of the time, the targets are small businesses, which are harder to recover from due to their dependence on cyber security. In many cases, these small companies go bankrupt after being hit by a cyberattack.

Cyber-attacks are on the rise, and cost businesses around $400 billion a year. Aside from financial losses, they also affect the brand image of companies. To prevent these types of attacks, CPA firms must invest in proper security measures.

On the bright side, several CPA firms are taking cybersecurity more seriously than ever. They understand that better cybersecurity translates to better business. With 72% of tax-filing adults in the US expressing some level of concern over their personal data being compromised when they file taxes, several CPA are carefully considering threats connected to software, hardware, and communications channels. Being prepared for potential attacks is a strategy that small businesses can continue to implement for a safer future.