Cyber Incident Victim: Gatto, Pope & Walrick LLP
Date:
Mar 2022
Location:
United States of America
Summary
An accounting firm experienced a data breach after an unauthorized party accessed an employee's email account over a period of several weeks, compromising sensitive client information including names, addresses, Social Security numbers, government identification details, and financial account data. The intrusion was detected following client reports of IRS identity verification requests and an unusual volume of rejected tax returns filed through the firm. The San Diego-based CPA practice, specializing in tax services for high-net-worth individuals and businesses, secured its systems and initiated an investigation confirming unauthorized access to files. Notification letters were subsequently distributed to affected individuals regarding the exposure of their personal and financial information.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
In April 2022, Gatto, Pope & Walrick (GPW) began receiving client reports that the Internal Revenue Service (IRS) was contacting them to verify identities. The firm simultaneously observed an unusually high rate of IRS rejections for tax returns it had filed on behalf of clients. These anomalies prompted GPW to initiate security measures to protect its systems and launch a formal investigation into potential causes. The investigation determined that an unauthorized party had gained access to at least one employee email account between March 17, 2022, and May 8, 2022. During this 53-day period, the intruder accessed or acquired files containing sensitive client information. While the investigation remained ongoing as of July 2022, GPW confirmed the breach compromised names, addresses, Social Security numbers, government-issued identification numbers, and financial account information. The scope of impacted data varied by individual client. On July 27, 2022, GPW publicly confirmed the data security incident and issued formal "NOTICE OF DATA SECURITY INCIDENT" letters to all affected individuals.
GPW, a San Diego-based Certified Public Accountant firm specializing in tax services and business consulting for high-net-worth clients, employed 46 staff and generated approximately $8 million in annual revenue at the time of the breach. The compromised data exposed clients to tax return fraud risks, where malicious actors could file fraudulent returns using stolen identities to claim refunds. The firm's notification letters outlined specific breach details but did not disclose technical specifics about network vulnerabilities or the exact method of email account compromise. GPW's containment response included securing systems upon detecting irregularities and conducting a file review to identify compromised information categories and affected clients. The incident disrupted GPW's tax filing operations for multiple clients during the 2022 tax season, as evidenced by the IRS's rejection of legitimate returns and subsequent identity verification requests to clients.