We’ve learned this week that benevolent hackers found a vulnerability over at Moss Adams a few months ago and detailed their findings in a blog post on Tuesday.
VPNOverview’s security team in April discovered an improperly stored virtual machine (VM) image that belongs to Moss Adams, one of the largest public accounting firms in the U.S.
Access to the image, which was stored in a publicly accessible Amazon Web Services S3 bucket, did not require a password. We disclosed the breach on April 15, and Moss Adams secured their cloud network shortly afterward.
Our team could enter Moss Adams’ corporate cloud using an RSA key from the VM’s filesystem. The key allowed us to log in to a workstation and access sensitive information. No customer data was exposed during the course of this investigation.
An SC Media article about the incident says “Moss Adams LLP is one of the country’s largest and most prestigious public accounting and wealth management firms, employing nearly 4,000 financial professionals.” You’ll note Moss Adams ranks #10 on Vault’s Most Prestigious Accounting Firms list, the authority in public accounting prestige.
Hilariously that same SC Media article links to a post from Moss Adams themselves about the intangible costs of a cyberbreach:
One of the most important components of managing cyber-risk is prevention. Some organizations, however, sometimes fail to realize that data breaches can cost more than just lost data or access to systems.
The consequences of a cyberbreach can affect various business relationships—insurance companies, banking institutions, investors, or potential buyers, for example. The implications of those intangible costs often mean companies must adhere to criteria that helps them evaluate the security of companies.
VPNOverview said a close examination of the filesystem revealed sensitive information but no data belonging to Moss Adams’ customers.
In a statement to VPNOverview Moss Adams suggested client data was never at risk had more nefarious individuals duplicated VPNOverview’s actions: “This AWS instance was completely isolated from the Moss Adams corporate IT environment, systems, and related client data. The fact is that we do not currently use AWS to host any of our corporate systems or client data. This AWS instance was used solely for purposes of performing external penetration testing and hosting the related tools that we do not want housed or comingled within our corporate production environment.” The breach was discovered on April 14th, 2022 and reported to Moss Adams the following day, Moss Adams closed the breach on April 20.
“In this case, a series of small mistakes and misconfigurations gave us workstation access to one of America’s biggest accounting firms. The ironic thing is, Moss Adams is more prepared to face a cyberattack than most businesses, but it only takes one error to open up unexpected avenues of attack. A compromised pentesting (penetration testing) instance is an ideal place to launch further attacks. I’m relieved none of Moss Adams’ customers were exposed,” said Aaron Phillips, the cybersecurity professional who led the VPNOverview investigation into this breach.
This isn’t the first time Moss Adams data was vulnerable. Back in 2020 Moss Adams gave notice that an employee email account was compromised in late 2019 and unsavory characters gained access to various personal identifiable information (PII) including names and Social Security numbers. California law requires a business or state agency to notify any California resident whose unencrypted personal information was acquired, or reasonably believed to have been acquired, by an unauthorized person and that a sample copy of a breach notice sent to more than 500 California residents must be provided to the California Attorney General. A footnote in the breach notification sample provided to the California AG [PDF] by Moss Adams says that the firm performs employee benefit plan audits for current or former employers of the affected individuals hence why they had these people’s PII.
VPNO says Moss Adams’ cloud is now secure.