Mexican authorities said KPMG Mexico could be fined as much as 30 million pesos (about $1.57 million) for exposing the confidential payroll data of employees at 41 of its clients, which was housed in an unsecured database that wound up on the Internet.
According to El Economista, the National Institute of Transparency, Access to Information and Protection of Personal Data (INAI) will decide whether KPMG was in compliance with the requirements of Mexico’s federal laws on personal data protection and, if not, whether the firm deserves a hefty penalty.
Cynthia Solís, a partner with IT legal advisory firm Lex Inf, told El Economista that if KPMG is found to have violated federal data protection laws, “I think we are talking about a million-dollar fine, between 20 million and 30 million pesos.”
But if the INAI finds that the firm was compliant with the law’s requirements, the KPMG Mexico employees who were responsible for the data leak would be the ones fined, not the firm, Solís said.
But she added:
“At the outset, there is a well-founded presumption that KPMG did not correctly apply the physical, technical and administrative measures to safeguard this data.”
According to a seven-page confidential report, dated Feb. 22, KPMG Mexico said a “small group of staff” created an “unauthorized environment” in Microsoft’s Azure Blob storage service that was not secure. Kept in that database was information from digital tax receipts that the KPMG employees downloaded from the Tax Administration Service, the revenue service of the Mexican federal government, according to El Economista.
“It is important to re-emphasize that the database that was hosted in the unauthorized environment was installed with default settings, which resulted in it being accessible without a password to anyone on the Internet,” KPMG said in the report.
The report also states that an “unauthorized third party” gained access to the database.
“The small group then deleted the unauthorized environment—again, without authorization. Thus, it is unfortunately not possible, through recovery processes, to determine precisely what information was in the unauthorized environment or which information is potentially in the possession of any unauthorized third party. It is also not possible to determine precisely what Information, if any, was taken,” KPMG said.
As a precaution, KPMG Mexico has offered to all affected clients’ employees, whose information could have been in the unauthorized database, monitoring services provided by Experian Information Solutions Inc.
Some of the employee data that was allegedly exposed, according to El Economista, includes:
- Federal Taxpayer Registry Codes
- Unique Code of Population Registration (CURP)
- Social security numbers
- Bank account numbers
- Salary information
Two KPMG Mexico employees, who were part of the “small group,” were fired, and the others have been suspended and are awaiting further disciplinary action pending the results of an internal investigation.