|Wilson Elser’s Cyber Incident Response Team has seen an alarming uptick in cyber-criminal activity targeted at professional services firms, particularly accounting firms. As described in more detail below, the criminal activity follows a very specific pattern. We take this opportunity to remind all professionals of the need to be wary and skeptical of what communications they receive electronically. Consider starting the New Year with training and education for yourself as well as your partners, staff and employees on cyber risk and how to best avoid an attack and mitigate any damages if an attack occurs. In the past three months, we have noticed a pattern of activity targeted at small to midsize professional services firms. Attackers attempt to gain access to computer systems containing sensitive financial information, which may result in a legal duty on the part of the professional to notify their clients that their confidential information was or may have been exposed.
So what does an attack look like?
Even if the sale is rejected by the user, once access is granted, the cyber-criminal has full access to the files on the computer. Even if the hacker does not access or download sensitive information, the mere fact that the server was hacked could trigger client notification obligations under state laws, since it is not always possible to conclusively prove whether the cyber-criminal did indeed access or download the information.
While this activity seems to be targeting accounting firms, it is likely that any organization that handles sensitive client information will be targeted.
So how do you protect yourself?
Wilson Elser’s Data Privacy & Security practice is available to provide education and training to your organization and assistance in the event you are the victim of an attack.