Just when you thought things couldn’t get any worse for KPMG, we have this news coming out of Mexico. And it seems really bad.
José Soto Galindo of El Economista reported (translated from Spanish):
A group of software developers of KPMG Mexico downloaded without authorization from their holders digital tax receipts from the Tax Administration Service (SAT) and with them created a database that was exposed on the Internet, without passwords or security controls, between November 2018 and January 2019, according to a KPMG Mexico report sent to affected customers.
In the confidential report, of which this reporter has a copy in English, a detailed description is made of what KPMG Mexico calls “information security incident”, which he regrets “deeply” and for which he commits to work with those affected to “mitigate any consequences”. A spokesperson for one of the corporations involved confirmed, on condition of anonymity, that they had received information from KPMG about the incident.
So, anyone with an Internet connection, which is pretty much everyone, could have seen the “personal and tax data of employees of at least 41 clients,” according to El Economista, that trusted KPMG not to put that shit on the Internet for everyone to see.
Some of KPMG Mexico’s clients allegedly affected by this mess include:
- Operadora de Hospitales Ángeles
- ITESO, the Jesuit University of Guadalajara
- Profuturo GNP
Some of the employee data that was allegedly exposed includes:
- Federal Taxpayer Registry Codes
- Unique Code of Population Registration (CURP)
- Social security numbers
- Bank account numbers
- Salary information
According to a seven-page confidential report, dated Feb. 22, KPMG Mexico said a “small group of staff” created an “unauthorized environment” in Microsoft’s Azure Blob storage service that was not secure.
El Economista reported:
The “small group” worked on the development of a technology called Fiscal Platform. “The data had to be downloaded through the secure KPMG network to a secure server approved by KPMG. Instead, the small group downloaded the information in an unauthorized environment, without the knowledge of the KPMG Information Security office and in contravention of a previous address of that office. All these actions were very serious violations of our policies, “says the document.
The document, according to El Economista, also said that an “intruder” gained access to the database:
On January 30, 2019, KPMG Mexico Information Security and its Office of General Counsel learned of the existence of the Unauthorized Environment and the fact that it had been entered by at least one intruder. It is important to re-emphasize that the database that was hosted and compromised in the Unauthorized Environment was installed with default settings, which resulted in it being accessible without a password to anyone on the Internet. Thus, we believe it was likely easily detected through scanning software commonly used by many. For the same reason, we believe that any intruders were not targeting KPMG Mexico and that the intrusion was simply opportunistic.
On January 29, 2019, upon being contacted by another KPMG client who had been contacted by a blogger about the Incident, the Small Group then deleted the Unauthorized Environment – again, without authorization. Thus, it is unfortunately not possible, through recovery processes, to determine precisely what information was in the Unauthorized Environment or which information is potentially in the possession of any unauthorized third party. It is also not possible to determine precisely what Information, if any, was taken.
As a result, KPMG has offered to all affected clients’ employees, whose information could have been in the unauthorized database, monitoring services provided by Experian Information Solutions Inc.
According to the document, two KPMG employees, who were in the “small group,” were fired, and the others have been suspended and are awaiting further disciplinary action pending the results of an internal investigation.
In an email sent to El Economista, Roberto Cabrera Siles, KPMG Mexico partner in charge of media communication, said: “For reasons of confidentiality with our clients, we are not in a position to provide additional details, although we are undoubtedly working closely with the clients involved.”
We’ll keep you guys updated on this latest KPMG mess when new information is available.