Federal Tax Updates | Surviving a Cyber Attack

In this episode, Roger sits down with Catharine Madeley, a tax practitioner who recently experienced a data breach at her firm. Catherine shares her firsthand account of how the breach unfolded, the steps she took to respond, and the lessons she learned along the way. She offers valuable insights into the importance of having a robust cybersecurity plan, the critical role of communication with clients, and the need to be proactive in protecting sensitive client information.

Sponsors
Padgett - Contact Padgett or Email Jeff Phillips

(00:00) - Welcome to the Federal Tax Updates Podcast
(01:30) - Introducing Our Guest: Catharine Madeley
(03:26) - The Harrowing Tale of a Data Breach
(04:29) - The Initial Discovery and Immediate Response
(14:36) - Navigating the Aftermath: Investigation and Recovery
(23:42) - Reflections and Lessons Learned from the Cybersecurity Incident
(25:58) - The Aftermath of a Data Breach: A Personal Account
(26:45) - Law Enforcement's Response to Small Scale Breaches
(28:36) - Navigating IRS Procedures After a Breach
(29:51) - The IRS Practitioner Relief Opt-In Program: A Lifeline
(32:42) - Client Communication and Response to the Breach
(42:55) - Lessons Learned and Moving Forward
(49:28) - Final Thoughts and Advice

Connect with Catharine Madeley
LinkedIn: https://www.linkedin.com/in/catharine-drake-madeley
Website: https://www.sallingcpa.com

Get NASBA Approved CPE or IRS Approved CE
Launch the course on EarmarkCPE to get free CPE/CE for listening to this episode.

Connect with the Hosts on LinkedIn
Roger Harris
Annie Schwab

Review
Leave a review on Apple Podcasts or Podchaser

Subscribe
Subscribe to the Federal Tax Updates podcast in your favorite podcast app!

This podcast is a production of the Earmark Media

The full transcript for this episode is available by clicking on the Transcript tab at the top of this page

All content from this podcast by SmallBizPros, Inc. DBA PADGETT BUSINESS SERVICES is intended for informational purposes only.

Creators & Guests

Host

Roger Harris, EA

President at Padgett Business Services

Guest

Catharine Drake Madeley, CPA

Catharine Drake Madeley, CPA, owner of Salling Madeley, PLLC in Austin, Texas, focuses on individual and small business tax compliance and has built a reputation for her dedication to helping clients make their tax experiences more manageable. She balances humor with a deep-seated passion for all things tax-related with the aim to make taxes less taxing – and a tad more fun! Along with navigating the intricacies of the tax world and tax firm management for more than fifteen years, Catharine has been cited in mainstream media publications such as Forbes. When she's not diving deep into the latest tax conundrums, you'll find Catharine in the garden, out for a hike, or off on a grand adventure.

What is Federal Tax Updates?

CPAs, Enrolled Agents, and Tax Preparers can keep up-to-date with the latest federal tax information while earning NASBA approved CPE credits and IRS approved CE credits by listening to the bi-weekly Federal Tax Updates podcast. The hosts Roger Harris and Annie Schwab have over 75 years of tax experience between them, which has been featured in various media outlets including Wall Street Journal, USA Today, The Morning Business Report, Bloomberg Business News, and Accounting Today.

Roger Harris: Hello, everybody. Welcome to another federal tax updates podcast. I'm Roger Harris and I'm not joined by Annie Schwab. Today. She's out on special assignment as we get through April 15th. And she'll be back shortly after April 15th. But I'm really excited about our guest that I do have with me today. Uh, today I'm joined by Catherine [00:00:30] Manley, who is a new member of the Paget family, and she's based in Austin, Texas. And I am really excited to have Catherine with me. Catherine, first of all, thank you for doing this. And how are you doing today?

Catharine Madeley: I'm doing great surviving tax season so far and just kind of excited to talk to Roger for a bit.

Roger Harris: Well, I don't know. That's maybe during tax season that's a highlight. But normally that wouldn't be. But we really appreciate Catherine. Catherine, tell everybody uh, a little [00:01:00] bit about your background, your practice. So they have a sense of of what you've done for the last few years.

Catharine Madeley: Sure. Um, I became a CPA back in 2009, I guess, and was in a small firm that's been around Austin, Texas for about 30 years. We focus on primarily on individuals and small business, tax planning and preparation. Uh, we currently have about 275 clients. Um, it's a good mix [00:01:30] of individuals and businesses. And I became the only owner back in 2019. Um, I guess I met you last summer and yeah, it really seemed like a great fit almost immediately and joined Paget in November, so I'm happy to be here. Thanks for having me today.

Roger Harris: Well, we're very happy to have you. And yeah, we did meet an IRS forum and Catherine stood out. You know, a lot of people at the IRS knew about her and heard about her. And you may have actually run into Catherine. [00:02:00] You know, you've done a lot of webinars and and engagements before. So this is not the first time Catherine has, has been willing to share her expertise with you. And we're really lucky because what we're going to talk about today is something that all of you that are in our profession, you hear about, but it's almost sometimes it's just background noise. You think, well, it could never happen to me. And we're talking about, you know, the whole issue of cybersecurity data breaches, all of those sorts of things. We're [00:02:30] all aware that, you know, when we go renew our PTEN, we got to check a box and we're supposed to have a written plan. But I think sometimes we don't take it seriously. We just we write a plan to have a written plan not to have data security. We check a box, to check a box we're not really concerned about. The dangers of not having a workable plan or paying attention to it. And Catherine is is so kind to share with us an experience that that she had that I think will [00:03:00] hopefully kind of put a real world touch on the things that that we should all pay more attention to. I know it's in the middle of tax season, and sometimes that makes it even more dangerous. But but Catherine, talk a little bit about and again, I really appreciate you sharing this because this is a personal story of something that Catherine and her firm went through. And, uh, I think it's something that all of us I know I've learned from hearing it, some things that I wouldn't have thought about. So, Catherine, first of all, give us a broad outline of [00:03:30] kind of when and what happened that kind of led us to where we are today.

Catharine Madeley: Yeah, absolutely. Um, and that is that is why I'm here today. And sharing is because I too, just kind of checked the boxes I had my I had my plan. I had, you know, some phone numbers slapped down saying these are the people you should call. But we had a data breach, um, back in, oh, September of 2022. Um, [00:04:00] I had a part time employee who was transitioning into retirement, and she got, um, one of those emails that everybody gets 20 or 30 of every single day. And she clicked on a link that said, your password is about to expire. Click here to keep your same password. And she typed in her password, um, on that, that website that opened up from that link. [00:04:30] And that was in early September. Um, on Saturday, September 10th, they accessed her email and started poking around. Um, they identified the portal that we use to exchange documents with our clients, and they went to the portal and they clicked on the button that said Reset Password, which sent an email to the email that they had access to, and they reset the password to [00:05:00] her access for the portal, which then sent her an MFA that was also set up to go to that email.

Roger Harris: Address, go to them.

Catharine Madeley: That she had or that they had access to. And then, um, about midnight on September 11th, they started, they logged into our portal and they started poking around and previewing files. Um, started with the letter A went very systematically down the alphabet. They'd be on for a few hours [00:05:30] or, you know, maybe look at 20 items. Um, and then they'd be off, and then they would around 10 a.m. on Sunday, they started actually downloading documents under her again. Fast forward to Tuesday. This was September 13th. I keep throwing out the dates because September 15th, in my mind, is the biggest, hardest deadline of all of the ones that we have. Because there is no right. There's no extending those partnership returns. You have [00:06:00] to do it. So this was September 13th. I'm walking past, um, my office administrator's desk and she says that, um, she's going to call. Let's call her Tiffany the employee. Right. Um, I'm going to call Tiffany and let her know that a client, Miss Brown, not her real name. Um, just uploaded a piece of information. And Tiffany had been working on that client over the weekend, and I just looked at my admin, and I. [00:06:30] I said. Tiffany doesn't work on that client. Tiffany has never met that client. She doesn't know anything about that client. What is she doing? Looking at that client's documents. And we just stared at each other. And I turn around, and I walk into my office, and I pick up the phone, and I'm calling my IT company, and my admin has got the other phone calling this employee. And within 15 minutes we know that that employee had not been looking at Miss Brown's information, [00:07:00] and we have her shut down of everything she can access. Her login to our network is shut down, her login to her email is shut down, her log, like anything that she had access to that I could shut down. She shut down. And and so that was Tuesday morning.

Roger Harris: So so it was like four days. And so a lot of this you talked about it as if you were watching it happen, but you weren't. I mean, this was all going on in the background and you had no idea that you had a problem [00:07:30] until like four days later when I guess you're lucky you somebody was monitoring it then, or it could have gone on longer.

Catharine Madeley: Absolutely, absolutely.

Roger Harris: And so and we talked about the emails you get. The problem is the bad guys are getting better. I mean.

Catharine Madeley: Oh, absolutely.

Roger Harris: The IRS has done a fairly good, I'd say, a pretty good job of trying to notify us when they see, you know, certain scams being sent out, but they really are getting good at the kind of emails that we [00:08:00] get that look like a normal part of our day to day activity. I mean, one that's going out as I'm looking for a tax preparer. Are you taking on new clients? I mean, who wouldn't wouldn't think about that? Now, you mentioned September being your busiest deadline. I think that's probably no matter whether your deadline is April or September or October, you're also stressed out. So do you think the stress of the deadline made a difference? Would it would you you think [00:08:30] if it had been. In January. You might have caught it.

Catharine Madeley: On that Sunday. So I think our, our when we get into what they were doing, they were pretty smart about the way they logged into our system. Um, because they didn't download anything outside of what you would consider normal business hours. So that and and tax [00:09:00] shop is it's not unusual for a tax shop to be open on a Sunday. No. Um, and if it had been my email that had gotten breached, then we may never have caught it because it would absolutely not have been unusual for me to be downloading and uploading all day long. All hours of the day. Yeah. Um, and to the extent that we were super busy and we were monitoring constantly waiting for those last bits of information to come in, I think that actually contributed to us catching it more [00:09:30] quickly because we were staying on top of those notifications daily. Hourly, not O admin only works on Tuesdays and Thursdays during the slow season, and she's the one that monitors those emails so I don't look for them if I don't know something's coming, right.

Roger Harris: One thing before we jump into one more details, talk again. Remind people why we are such targets. I mean, what kind of information do we have that makes [00:10:00] us such big targets? Because I think sometimes we don't realize how valuable the kind of information that we have as part of our day to day routines. Why are why are we being targeted? I think I think I've heard you say you thought you were too small for people to care about, but.

Catharine Madeley: Absolutely I did. I, I was like, why would they come after my I don't have that many clients. I don't I'm a small shop. Um, you know, why would they come after us? Well, it's because we have [00:10:30] everything. We have the names, the Social Security numbers, the addresses, the bank account routing informations. If they have their IP pin, we have their IP pin. Right. So we have it all very frequently. I mean, how many of your clients do you have passwords to something that they've given you. Yeah you don't necessarily want it but they're still yeah still here's my password.

Roger Harris: You go get it. Exactly.

Catharine Madeley: Yeah. Exactly. So so we have [00:11:00] the keys and we have to guard those keys.

Roger Harris: Yeah. We're like the Fort Knox of information for most people. I mean, maybe other than a bank. And the information that we have is maybe the, the pot of gold for a lot of people because you said, not only do I know your name, your Social Security number, I know your bank accounts. I even know what your past year's tax returns looks like. So if I'm trying to slide by the IRS's filters, what better information [00:11:30] to know. So okay, so let's go back now. So you discover it. So how did you feel first of all?

Catharine Madeley: Uh, shocked. Initially very shocked. Um, worried. My first thought was how do I protect my clients? What is the what is my next step? I've turned off the sieve. I've turned off the faucet. But what is what do I do next? How do I even with that wisp [00:12:00] I, I don't, you know, it's a bunch of words on a piece of paper, right? I don't really know. It doesn't tell you exactly what to do. It says call the people who know what you should do. And here are their phone numbers. Yeah.

Roger Harris: I mean, I guess you've thought about it, but I mean, at that moment you're probably sitting there wondering, what do I do next? Absolutely. I know some people kind of react to want to keep everything a secret, because either they're embarrassed or they don't want to talk until [00:12:30] they know more. So. So when it became obvious you had a problem, you had your written plan like you mentioned, and like you said, you had it written, but you never really thought you would ever have to implement it. So talk a little bit about what happened at that moment. Who'd you call first? Who did you call? You know what, again, we're doing this as an advisory, uh, for someone to hopefully will hopefully keep them from ever having this experience. But if they do what they [00:13:00] should do. So what did you do? Who'd you call? What did you. What did you do? I'm just trying to sit there and put myself in that position. And it.

Catharine Madeley: Was. And I did feel all those those feelings, the embarrassment, the the embarrassment did come. I felt very much like a failure at points during this process, because how could I have let this happen? How could I have jeopardized my client's well-being? Uh, how do I protect my firm? How do I protect like I felt less [00:13:30] than adequate. It would be one way.

Roger Harris: I think everybody would at that point. So.

Catharine Madeley: Um, but the first call after we got got the it side of it, um, shut down. I called my insurance company, uh, we did have a cybersecurity policy on our, um, insurance. And so that was very, very helpful. Uh, I highly recommend having that policy. Um, it did take us until Friday [00:14:00] to be able to schedule to actually talk with the cyber security specialists because they, you know, it doesn't happen perfectly, seamlessly, that you can immediately get through to somebody that can solve all your problems. I don't know why not, but.

Catharine Madeley: Well, you know, where would you.

Roger Harris: Have been without insurance? You know, a lot of people think I don't need cyber insurance. You know how now, having been an experienced person in this, uh, how despite the trouble with getting [00:14:30] through to him, I mean, having it was probably extremely beneficial.

Catharine Madeley: Oh, 100%. I could not have done I couldn't have done most of the technical aspects of of the investigation portion without the expertise of the cyber specialists. Um, they took care of the data mining of when we get into the investigation, they, they, they, they took care of a lot of the research and a lot of the guidance [00:15:00] and working with my IT, my in-house IT specialists to, um, investigate and figure out what, what happened, how it happened and then who was exposed in the process. Um, and I could not my, my, my IT company by themselves possibly could have gotten there eventually, but it would have taken longer and cost more money.

Roger Harris: And time is really not your friend in this case. You want to [00:15:30] try to. And we'll talk, as you mentioned, the investigation of what you discovered, but you really want to get a handle on it. Decide what you have to do with regard to communicating with clients and other people or whatever. And and the sooner you can have a someone who can. Because, look, let's hope that nobody goes through this more than once. So you're not experienced in this, whereas your insurance company hopefully has the experience and can guide you through this. So I just for those people who price [00:16:00] it and go, wow, that's expensive or I don't need that. Uh, I think I'm hearing from you pretty clearly. Uh, insurance is always a gamble of their gambling. They you don't need them and you're gambling. You do. So, uh, this is why it's better to have it. So, um. I'm glad to hear they were, even though they were frustrating and hard to get on the.

Catharine Madeley: Oh, that was that was partly a okay, here's you know, I got I got called back by my insurance company [00:16:30] immediately. I called and submitted the ticket and they called me back at like an hour later. But they are it's one of the big insurance companies for accountants. So their primary, uh, expertise is in guiding you on engagement letters or potential claims from a client if you've done something in the accounting lane. Right. So that's that was the first meeting I got an introductory call to cyber specialists, I think [00:17:00] the second day, but it wasn't until Friday until we could really schedule both sides with five people, uh, to have a two hour sit down. Yeah.

Roger Harris: So so talk about that. You said they helped you through the investigation. Kind of describe what what is that and what's the process you go through? What are you looking for? What do you find?

Catharine Madeley: Sure.

Catharine Madeley: My first step in the investigation, uh, was to actually look at the logs, the data [00:17:30] or the logs of uploaded and downloaded an activity on our portal because we had that information. And so we could very quickly look at what had that employees account been used to access. Um, and so day one, we knew what tax returns had been looked at, had been downloaded from that download activity. So we knew what had been downloaded. Uh w-2s. Tax returns. Organizers estimated [00:18:00] tax payment vouchers, that kind of information that had been had been looked at. So from just day one, we had a list of about 40 names that had, uh, PII, um, compromised. And some of those people were no longer clients, uh, which is an interesting tangent conversation to have.

Catharine Madeley: That's good and bad.

Catharine Madeley: That's good and bad. But, uh, you know, you need to one of the lessons from this is [00:18:30] monitoring. How long you keep those no longer clients up on your on your storage systems, right? Whether it's a DMs or a portal. So data retention, your records retention. So.

Roger Harris: Right. Yeah. Because you think about they're gone. So they're not really gone to the crook. They're gone from your revenue stream. But they're they're still valuable to that to that bad guy out there.

Catharine Madeley: Mhm.

Catharine Madeley: Uh we contacted our portal provider. [00:19:00] That was uh, one of the steps that we did in our investigation. And so they were actually able to get to information we couldn't see for what files had been previewed. So in this is true in many systems, you can just click on a thing and A that online file storage and get the preview of it without actually downloading it. And so our notifications were triggered by downloads. Um, but they gave us a record of everything [00:19:30] that had been looked at, um, and that gave us an additional 55 names. Um, and they can, you know, you think about it that previewing a document lets you potentially, uh, take a screenshot of the information or write down, uh, those critical factors. Um, our next step was to contact our tax software provider. And they reviewed [00:20:00] our user activity logs for everybody in the office. And so did the portal. Um, in terms of when people had logged on, what IP addresses were used for those logins to look for additional suspicious activity. Uh, another step in my investigation was to look at my effin and PTEN account numbers or accounts, um, on irs.gov and log in to those and check how many returns had been filed under [00:20:30] my effin and P10. Um, along those lines, my software provider was able to confirm what had been filed through their system. Uh, so it did not appear based on those data points, that any additional returns had been submitted under my identity. Um, and then my tech company and the cyber specialists looked at that email address that had been compromised. [00:21:00] Uh, they were determined, able to determine what IP addresses had been used to access the account. How long, um, how long they had had access to it, and then how far back? And this is this is over my head in terms of technical ability, but. Well, then.

Roger Harris: It's way over.

Catharine Madeley: Mine.

Catharine Madeley: Magically, they were able to determine how far back, based on the way the email was accessed, that the the bad actors were able to get information. And so the IT or the [00:21:30] cyber specialists did a data mining. They took that email account and data, mined it with a computer system that pulled back, um, a potential hits for PII. So an email that might have had an address in it. Uh, is a PII. It's a personal identifying information that they were able to then do a manual review of those, um, emails. So [00:22:00] they the, the data or the, um, the data scrubbing of it came up with another 5800 potential hits, which when I heard that number, I was just terrified, of course. Oh, of course, but it it ended up where we had, um, I think a total of 105 identities that had been, um, accessed where PII was exposed and that was not [00:22:30] 105 returns, it was 105 individuals. So it could have been a married filing joint couple with three kids.

Catharine Madeley: That's five people, right?

Roger Harris: How far into now when you got to that, how long had this been going on and how much time was this taking out of your day to day activities to to deal with this and not deal with everything else that was supposed to be going on at that time in your life?

Catharine Madeley: I still dealt with everything else. I didn't sleep. [00:23:00]

Catharine Madeley: For a.

Catharine Madeley: Month. Uh, I probably aged about five years in that month. That between, um. Because I really could after after October 15th came and went, I really could focus more on this. But at that point, I had done the bulk of what I could do, and it was on the hands of the the cybersecurity insurance specialists. Um, I think it's it it definitely [00:23:30] was time consuming and I was not alone. I'm in an office. I have an amazing office administrator who did a lot of the heavy lifting with this. But, um, and I think. Stepping back, the first call I made was to insurance. I also made. I went down that wisp list of call the your state attorney general. Call law enforcement. Um call the [00:24:00] IRS. And so I you know, I left messages, I called my lawyer and he said do what insurance tells you to do.

Catharine Madeley: Okay. Yeah. Um.

Catharine Madeley: But the the, uh, we left a message with the state attorney general. We left a message with the IRS stakeholder liaison. We didn't hear back from either of those. Um, we did call Austin Police Department and the FBI and had an interesting conversation [00:24:30] there. Yeah.

Roger Harris: What? Yeah. How did that go? I mean, in terms of all the things that the police department, the FBI has to, to deal with, how did they how serious? I guess maybe I'm asking for an opinion here, but how serious did they take something like this compared to some of the things they deal with?

Catharine Madeley: So I don't do audits or compilations, so I'm not qualified to offer an opinion.

Catharine Madeley: I'm just okay, I think I.

Roger Harris: Know the answer.

Catharine Madeley: No.

Catharine Madeley: I [00:25:00] know he he came out. Uh, the gentleman from the APD and FBI have a joint task force in the central Texas area. And so they came out to our office about two weeks after we reported the breach and kind of walked through what had happened. At that point. We had a list of names, not a not a comprehensive list of names, but a pretty good list of names. But to our knowledge, we didn't have any fraudulent returns filed knowledge. We didn't have any credit cards. To [00:25:30] our knowledge, no harm had been done. And our list of compromised individuals was pretty small, um, relative to other data breaches out there in the world. And so we were basically told that our breach was not worth individual investigation because, number one, there had been no harm done yet. And number two, it's small fries. Um, so they're they're going to investigate something where a lot [00:26:00] of money has been taken. Well, we hadn't had any documentation of any money being taken. Uh, at.

Catharine Madeley: This point, some of.

Roger Harris: The data breaches that make the first page of the news or, or the lead story on the nationals.

Catharine Madeley: Absolutely.

Roger Harris: Katheryn's breach didn't quite.

Catharine Madeley: Reach to that. Yeah. And level me.

Catharine Madeley: Losing sleep in my mind is is a massive a massive crime, right. Uh, in terms of of this breach, it was not worth the time of [00:26:30] the IRS criminal investigation or the FBI or the Austin Police Department. They were grateful for any information we could provide, and they would add it to their databases, but it wasn't wasn't worth their time.

Roger Harris: Sure. And that's understandable. I mean, yeah, in a situation like this, compared to particularly what the FBI is dealing with on a day to day basis. Now, you mentioned the IRS and they do have and I think this is where we'll pay them some compliments. Uh, there is [00:27:00] a, a number to call at the IRS to when this happens and, and talk a little bit about what they were able to do and their experience and how that went. Because they talk a lot about this, this department, I'll call it a department. I guess that's what it is. Um, that for practitioners to reach out to talk about what they were able to help you with and their responsiveness or lack responsiveness. I'll let you classify it because you're the one that went through it. But talk a little bit about how that went. [00:27:30]

Catharine Madeley: Well, we had left a message with the IRS stakeholder liaison. There's a there's a bunch of different numbers depending on where you are in the country. Um, they have different offices. But we didn't hear back. And then we talked to the FBI and they said that the IRS isn't going to look at this terribly closely. Um, but I later found out that they they actually. I should have followed up. I didn't follow up because they said that. No, the FBI said don't bother. Um, but [00:28:00] the IRS does have a return. Integrity, compliance, um, services for practitioners with a program. They have a practitioner relief opt in program, and it's a pre filing program where I was able to provide a list of the clients that had had their information exposed. And the IRS puts a flag on those accounts. Then before I file a return, I contact [00:28:30] the IRS the day before. We're going to submit, hit submit and give some key indications from the return, some some numbers from page one of the return. Um, to verify that the return that's they will be receiving electronically is the real return for that client. Um, and so that did add a few minutes of time to the beginning of every or to the administrative time with filing every single one of those clients. [00:29:00] But ultimately it protects me. It protects my clients. Um, and it, it stops the IRS notices because if I'm not doing that and there's some indicator on the return that the IRS has that says, oh, you need to verify your that this is your return. All of a sudden my client's getting an IRS notice and I'm dealing with that, which is more time consuming.

Catharine Madeley: Sure. Yeah.

Roger Harris: Yeah. The little time it took to to to follow that program pays. It pays dividends [00:29:30] in the long run.

Catharine Madeley: Absolutely.

Roger Harris: So the IRS was helpful in terms of and I think the message there is there is a process to to go ahead and be able to file, because we've all been seeing situations where a person has a refund, hung up because somebody stole their identity, have already filed, and they wait forever to get their money. And because there was no the service has said in meetings that practitioners are for some reason hesitant to call the IRS and participate in this program. I guess [00:30:00] going back to my earlier comment, they're either embarrassed, they don't know, but but it was probably extremely helpful looking back on the filing of those returns through this.

Catharine Madeley: Absolutely. And we were actually able to, um, I mean, in the end, I had a person's email address that I could email. I say a person, it was a it was a bucket. But it's it's a small team that was working on my case. And so, uh, I was able to get some [00:30:30] pretty quick, accurate information from them when I needed it. Um, and I got into this program because of the, um, because of those IRS notices that my client started getting saying there's a mismatch and you need to, um, and so by following up with that, then then I was able to learn about this program that I wish I had known on day one.

Catharine Madeley: Day one.

Roger Harris: Talk about the clients. When did the client when did you. Well, I'm going to presume [00:31:00] something here. When did you reach out to the clients? What did you tell them? How did they react? How were the clients ultimately did the clients get through this, all things considered, pretty well. I mean, from from the client experience. What was it like? I'm sure none of them wanted to know, but weren't happy about it, but absolutely.

Catharine Madeley: So we, um. I think I mentioned that the very first week we knew 95 PPIs had been exposed, [00:31:30] uh, either through the downloads or through the previews. And when we initially talked to our insurance company, they kind of gave us a timeline of how they approached data breaches. And the first step in the data breach response is to do the investigation, which we've already talked about. And then once the investigation is concluded, then in the state of Texas, and this varies by state, you have 60 days to send out the notification to your clients or to [00:32:00] the people who've had their PII exposed. Right. We knew we could, that there were problems, and some of those clients had some really big deposits sitting in the IRS piggy bank, either through making huge estimated federal tax payments or through withholding on their w-2s. And we know that people have looked at their w-2s so that for the return that has not yet been filed, so [00:32:30] they could file a pretty accurate return based on what was in the portal. So we worked with our insurance company that very first weekend, and when after I was able to meet with the specialists, um, to draft a the notification, an initial notification saying that this investigation is ongoing, it's not been concluded, but you have been exposed and that. Next. You know, I spent the the week after emailing and contacting [00:33:00] by phone every single one of those those families that had been exposed.

Catharine Madeley: What was that like?

Catharine Madeley: It was a I got, I got they had a lot of the same initial reactions that I had, like this shock. How could this happen to me? Um, none of them were upset with me, and I didn't lose any clients because of this data breach, which I think is a remarkable. We worked really hard with our clients to [00:33:30] explain the risks to them and to help walk them through getting the credit monitoring, which was offered through our cyber insurance with dark web monitoring. So they had somebody looking not only for their something on their credit reports, but also if their information was being batted around the dark web. We helped a lot of them get set up on the Irs.gov website and the Id.me to [00:34:00] get their IP pins to help protect their tax accounts. I mean, it just we worked pretty closely with our clients, um, after this to help educate them and talk about their own data security. And we use a password manager in our office, and probably a third of the clients that we talked to now use that same password manager. And just because we talked about how important it was to have, you know, strong secure password, like we talked about our experience with our clients. And they were grateful [00:34:30] that we were open and honest and up front with them.

Roger Harris: And I think I think there's a couple of things to be learned from this. The fact that you didn't lose a single client, first of all, is a compliment to you, because that tells me going into this, those people had a lot of confidence in you. They trusted you. They can accept when things happen, when they have that confidence, and then the fact that you were up front, you know, again, a lot of people get afraid when something happens and they kind of go into a shell [00:35:00] and don't communicate and they wait too long. And I think that actually is worse for people. I think the fact that, number one, that they trusted you going into it, and number two, the way you confronted it head on, you called them, you told them what happened. You you had a strategy. I think that that first of all, it says an awful lot about you, but it also says a lot about the need to to not put your head in the sand like some people do, and just kind of hope that this is going to go away. Well, it's probably not. [00:35:30] So first of all, it was great that you it's interesting to hear because, uh, the fact that you didn't lose a single, there's always one crazy person in a group, you think, and somebody is going to go off the deep end. But but the fact that you maintained 100% of the clients through all this is, uh, it's remarkable. And congratulations. It's shows me you did everything you needed to and could have done.

Catharine Madeley: I tried my best.

Roger Harris: Did did any to your knowledge, did any. I mean, I'm sure there was some delays [00:36:00] in processing, but did anybody have any client have a big problem, or did you get it soon enough that it was more of a nuisance problem than a huge problem?

Catharine Madeley: It was the nuisance. Nuisance problems. Um, with that and nobody. You can't. You can't put all the pictures up on the big board and take little pins and put and draw the yarn and say, [00:36:30] this event caused this, this right. False return to be filed on this account. I mean, we can we can have some pretty strong like these two things could be related, but we don't know for sure. Right. That so we did have a couple you know a couple of clients have e file rejects because a return had been filed and their their Social Security number or one of their dependents social security numbers. Again, we don't know [00:37:00] with certainty. We we can assume but it's not we can't draw that straight line. Right. Um, and and then we've had you know, we've had e file rejects on clients that weren't exposed in our, our data breach. And so did, did the cybersecurity company miss them or did was that legitimately somewhere else? We just don't know. And the IRS can't know either.

Roger Harris: No. And [00:37:30] all of us have gotten those. You know, a lot of us I mean, yours is a personal response to to people. All of us have gotten the letter in the mail, hey, your data was hacked or stolen or whatever. And here's a monitoring service. Um, so yeah, I mean, it could have come from other places that had nothing to do with you. Um, but.

Catharine Madeley: Well, I think.

Catharine Madeley: That that speaks to what you said at the very beginning. We're gatekeepers. We have the keys. Yeah, and I did that. I responded that way personally, because [00:38:00] a I have relationships with most of the clients, and B, what was exposed was so vital. And timeliness is really important in these situations. If there's an office we're talking on March 18th, if there's an office that has a breach today. Those tax returns are being filed today based on the information that's being taken down by those bad actors. Yeah. [00:38:30] And or tomorrow or next week. So it is, you know, I needed to let those clients know that we have you. I've been asking for that last piece of paper for two months. I need it today. Like I need it now.

Catharine Madeley: Yeah, now. So time is up.

Catharine Madeley: And here's why. We need to move immediately.

Catharine Madeley: We need to.

Roger Harris: Some there's some advantage to being first. You know, let let's be the first one to file a tax. Return your Social Security number [00:39:00] because that gets in. You know, your story reminds me of something. It reminded me of something I heard once at an IRS briefing, that it's really kind of scary when you think about it, but you mentioned the dark web that you can literally go on the dark web and see a tax firm's clients for auction. And they're out there and it'll say, so many returns, this and that. And there are literally the bad actors, uh, buying because I was told and I don't know if this is [00:39:30] true. I don't know if you got deep enough to to really know this, that the people stealing the data usually aren't the ones filing the returns. They then sell it to somebody else, usually overseas, who files the returns. So there's a huge market on the dark web of of bad actors negotiating or bidding for accounting firms. And I bet most of those firms don't even know their information's up for sale.

Catharine Madeley: I would be shocked if I didn't. I'd never heard that before. [00:40:00] Uh, yeah. Or if I had, it went in one ear.

Catharine Madeley: And out the other. You'd have been a good thing you didn't when it happened, right?

Roger Harris: Uh, it would have made it made it worse.

Catharine Madeley: Yeah.

Catharine Madeley: And I don't know, I think that would be dependent on the the way the breach happened because.

Catharine Madeley: And what they got and.

Catharine Madeley: What they got. So if right, for example, if our external backup storage was stolen, uh, and they had all of our [00:40:30] documents, then yes, they're going to digitize that and they're going to sell that. But this was one bit of information at a time. And to take that one. And so I just I don't know that that that would have been the primary use of the information that was taken from our firm. But it's possible.

Roger Harris: Yeah. I think you got yours probably quick enough that, you know, it wouldn't have been worth as much as those firms, that they've scooped everything unbeknownst to the firm owner. And somebody is buying that stuff [00:41:00] up on the on the dark web looking back now. So this was 22 that right? Yep. So it's two years almost two years. What did you learn. And and again talking to our audience who are people like yourself. Um what do you want to say to them? I mean, what does your experience teach you and what message do you want them to hear? Because I think all everybody in our profession has heard [00:41:30] about this. They've heard about it from the IRS. They've read about comparable things in the paper, but they've never personalized it as, hey, this could happen to you. Well, it did happen to you. It did. So talk to talk to our audience about what you learned and and and if they don't get but 1 or 2 things out of this, what do you want them to get out?

Catharine Madeley: Okay.

Catharine Madeley: Um, that's that's 1 or 2 things. Um, well, as.

Catharine Madeley: Many as you got.

Catharine Madeley: I'm just definitely we have done I thought [00:42:00] we had pretty good security measures in place and we had two factor authentication turned on. We have definitely upped that. We have upped our training and awareness with our employees, with our clients. It's that communication. It is staying on top of technology and using technology tools to our advantage. But it's also inviting in experts to help you. So. You. I mean, I'm a tax person. I'm not a [00:42:30] tech person, so I don't have the skill set to go out and build the firewalls and the security and the I don't have those skills to make that happen. I need to rely on the expertise of others. And I think that we tend to be a little bit type A in our nature as accountants and think that we have to do everything ourselves, and that's not the case. It's ask for help. Don't be afraid of help. It's [00:43:00] you have the insurance, but have the plan and know who to lean on.

Catharine Madeley: Yeah, because.

Roger Harris: I would I would say you probably before this happened, were probably in the top echelon of people who tried to do things the right way. You had the insurance, you you had all these things and it still happened to you. So it can happen to any of us. And. We could be going to be perfect for anything [00:43:30] that we do, more or less protecting client data. So it's in some instances it's how can we react when something happens is really how you should measure us. Not that we can be perfect because we just can't be. Uh, and I think that's again, the things that I heard here today is it happened. You reacted quickly, you communicated to clients, and you kept all the clients. And you're still here in business today, uh, willing to share [00:44:00] your story, because while it's not something that you want to go through again, you survived it. And you probably came out of it better than you went into it in a lot of ways. And I think, again, that's a compliment to you and how you reacted. And I think that I hope that the people listening to this take advantage of of looking back on. Well, I think you mentioned in one of our earlier discussions, this is particularly dangerous at this time of year when we're [00:44:30] all busy.

Catharine Madeley: It is. We're flying through emails as fast as we can. We're we're checking them on our phones, which is particularly, uh, you know, they look different on your phone than they do on the computer screen. And so you have to scrutinize it a little bit more closely. And we're doing things when we're tired and we're doing things at odd hours. So we're more prone to make mistakes this time of year. Um, just by, by the nature of we're trying to [00:45:00] do so much and juggle so many balls at the same time, and we can't be perfect. We can't be perfect all the time.

Catharine Madeley: No.

Roger Harris: And no matter how hard we try, sometimes a mistake happens. So having the system in place to react to it, to to be up front with it, to deal with it, not to run off and hide and hope it'll go away, which I think sometimes is human nature. Anytime we run up against something that we don't particularly like, we just kind of think, well, maybe tomorrow it won't be.

Catharine Madeley: Here, but it will. This [00:45:30] one.

Roger Harris: Wasn't going anywhere if you hadn't addressed it.

Catharine Madeley: Well, and we did. I don't think we talked about this before, but we did a little bit of triage with our our client base on the returns that hadn't been filed yet when this happened and those clients that we felt confident that it was safe to file late, we filed them late. We contacted them and said we're dealing with a crisis. So we were up. We were up front, not with just with the clients that had their data stolen. We were up front with our clients that weren't directly impacted, [00:46:00] but we needed to shift gears to address this crisis. And can you assist us in this process by allowing us to file your return late? You're overpaid. You're you were not impacted by this breach. And so just being up front and with your communications, uh, to the best of your ability was that really helped us through this.

Catharine Madeley: Yeah. Well.

Roger Harris: Yeah, it's again, it's one of those stories. Look, I really appreciate you being willing to share this because [00:46:30] I think, again, that says a lot about you because a lot of people wouldn't be willing to share their story to help others. Because, again, as we go back in the beginning, it's not something that we're proud of that happened. I'm not sure you could have prevented it from happening. I mean, I'm sure you had told your employees to be careful about opening emails, but they're not perfect either. So I really, really appreciate you sharing this. I think you probably have helped somebody who's listening today to take a look back. And that's the one thing that I would tell [00:47:00] those that are listening to this podcast whenever it is. I mean, whether you're listening to it during filing season or if you're doing hopefully you're laying on the beach somewhere after April 15th listening to this podcast and at some beautiful island somewhere, um, go back and examine your system, examine your insurance, uh, talk to your staff, do all the things that, uh, so this, to the best of your ability won't happen. But if you if it does happen to you, [00:47:30] deal with it like Catherine did, you know, do the things that she told you to do. Because I think you came out of it about as well as could be expected, given what happened. Yeah. Catherine, any final words as we wrap up this podcast? Again, I can't thank you enough for, first of all, agreeing to do the podcast, but particularly about talking about this topic.

Catharine Madeley: Yeah. Uh, I would say my final words would be never trust an email. And [00:48:00] thank you, Roger, for having me. I really appreciate this.

Roger Harris: Oh, this this was my pleasure, I really do. It's always fun to talk to you, and it's always, uh, good to share ideas with you, but I think this is something that, uh, hopefully, uh, and I know I say hopefully, I know the listeners have gotten a lot out of. And, uh, we got to have you back and talk about something more pleasant. Next time, let's let's find another topic that is not, uh, focusing on negative. Let's talk about what a wonderful [00:48:30] and successful tax season you had. And, uh, you can't wait for the next one whenever that happens. Thank you so much for joining us. Thank you, as always. Thank you for being part of the Paget team. Thank you guys for listening to this episode of the Federal Tax Update podcast. We hope you'll tell your friends about it. Go tell them to listen to this. If they listen to one of them, listen to this one and, uh, hear Catherine's great advice. So thanks again for tuning in, and we hope [00:49:00] to have you back on the next federal tax update podcast. So long everybody.