We learned this week that benevolent hackers found a vulnerability in Moss Adams a few months ago and detailed their findings in a blog post on Tuesday.
In April, the VPNOverview security team discovered an improperly stored virtual machine (VM) image belonging to Moss Adams, one of the largest accounting firms in the United States.
Access to the image, which was stored in a publicly accessible Amazon Web Services S3 bucket, did not require a password. We disclosed the breach on April 15, and Moss Adams secured its cloud network soon after.
Our team could enter Moss Adams’ corporate cloud using an RSA key from the VM’s file system. The key allowed us to log into a workstation and access sensitive information. No customer data was exposed during this investigation.
An article from SC Media about the incident says “Moss Adams LLP is one of the largest and most prestigious accounting and wealth management firms in the country, employing nearly 4,000 finance professionals. You will note Moss Adams ranks 10th among Vault’s most prestigious accounting firms list, the authority in matters of public accounting prestige.
Hilariously, that same SC Media article links to an article by Moss Adams himself on the intangible costs of a cyber breach:
One of the most important elements of cyber risk management is prevention. Some organizations, however, sometimes fail to realize that data breaches can cost more than just the loss of data or access to systems.
The consequences of a cyber breach can affect various business relationships, for example insurance companies, banking institutions, investors or potential buyers. The implications of these intangible costs often mean that businesses must adhere to criteria that help them assess business security.
VPNOverview said a thorough examination of the file system revealed sensitive information, but no data belonging to Moss Adams customers.
In a statement to VPNOverview, Moss Adams suggested that customer data was never at risk if more nefarious individuals had duplicated VPNOverview’s actions: “This AWS instance has been completely isolated from the computing environment, systems and associated customer data from Moss Adams. The thing is, we don’t currently use AWS to host any of our business systems or our customers’ data. This AWS instance has been used solely for the purpose of running external penetration testing and hosting related tools that we do not want to host or mix in our enterprise production environment. The breach was discovered on April 14, 2022 and reported to Moss Adams the following day, Moss Adams closed the breach on April 20.
“In this case, a series of small errors and misconfigurations allowed us to access the workstation of one of the largest American accounting firms. Ironically, Moss Adams is better prepared for a cyberattack than most companies, but it only takes one mistake to open up unexpected avenues of attack. A compromised pentesting (penetration testing) instance is a great place to launch new attacks. I’m relieved that none of Moss Adams’ customers were exposed,” said Aaron Phillips, the cybersecurity professional who led the VPNOverview investigation into this breach.
This isn’t the first time Moss Adams’ data has been vulnerable. In 2020, Moss Adams reported that an employee email account was compromised in late 2019 and disreputable characters gained access to various personally identifiable information (PII), including names and social security numbers. California law requires a company or state agency to notify any California resident whose unencrypted personal information has been acquired, or is reasonably suspected to have been acquired, by an unauthorized person and that a sample copy of a Notice of Infringement sent to more than 500 California residents must be provided to the California Attorney General. A footnote in the sample infringement notice provided to California AG [PDF] by Moss Adams says the company does benefit plan audits for current or former employers of affected individuals, hence why they had the PII of those individuals.
VPNO says Moss Adams’ cloud is now secure.
Latest Accounting Jobs – Apply Now:
Do you have something to add to this story? Let us know by email, Twitter, or text/call the phone line at 202-505-8885. As always, all advice is anonymous.