Please ensure Javascript is enabled for purposes of website accessibility
February 4, 2023

KPMG Mexico Could Be Facing Fine of Up to $1.6 Million For Huge Data Leak Blunder

kpmg general electric wells fargo

Mexican authorities said KPMG Mexico could be fined as much as 30 million pesos (about $1.57 million) for exposing the confidential payroll data of employees at 41 of its clients, which was housed in an unsecured database that wound up on the Internet.

According to El Economista, the National Institute of Transparency, Access to Information and Protection of Personal Data (INAI) will decide whether KPMG was in compliance with the requirements of Mexico’s federal laws on personal data protection and, if not, whether the firm deserves a hefty penalty.

Cynthia Solís, a partner with IT legal advisory firm Lex Inf, told El Economista that if KPMG is found to have violated federal data protection laws, “I think we are talking about a million-dollar fine, between 20 million and 30 million pesos.”

But if the INAI finds that the firm was compliant with the law’s requirements, the KPMG Mexico employees who were responsible for the data leak would be the ones fined, not the firm, Solís said.

But she added:

“At the outset, there is a well-founded presumption that KPMG did not correctly apply the physical, technical and administrative measures to safeguard this data.”

According to a seven-page confidential report, dated Feb. 22, KPMG Mexico said a “small group of staff” created an “unauthorized environment” in Microsoft’s Azure Blob storage service that was not secure. Kept in that database was information from digital tax receipts that the KPMG employees downloaded from the Tax Administration Service, the revenue service of the Mexican federal government, according to El Economista.

“It is important to re-emphasize that the database that was hosted in the unauthorized environment was installed with default settings, which resulted in it being accessible without a password to anyone on the Internet,” KPMG said in the report.

The report also states that an “unauthorized third party” gained access to the database.

“The small group then deleted the unauthorized environment—again, without authorization. Thus, it is unfortunately not possible, through recovery processes, to determine precisely what information was in the unauthorized environment or which information is potentially in the possession of any unauthorized third party. It is also not possible to determine precisely what Information, if any, was taken,” KPMG said.

As a precaution, KPMG Mexico has offered to all affected clients’ employees, whose information could have been in the unauthorized database, monitoring services provided by Experian Information Solutions Inc.

Some of the employee data that was allegedly exposed, according to El Economista, includes:

  • Federal Taxpayer Registry Codes
  • Unique Code of Population Registration (CURP)
  • Social security numbers
  • Bank account numbers
  • Salary information

Two KPMG Mexico employees, who were part of the “small group,” were fired, and the others have been suspended and are awaiting further disciplinary action pending the results of an internal investigation.

Latest Accounting Jobs--Apply Now:

Have something to add to this story? Give us a shout by email, Twitter, or text/call the tipline at 202-505-8885. As always, all tips are anonymous.

Related articles

UK money

The Most-Fined Big 4 Firm in the UK is Raising Audit Fees, Knows Clients Will Complain About It

Bloomberg reported today that KPMG UK CEO Jon Holt told them the firm plans to raise audit fees, news that comes on the same day we find out KPMG UK revenue increased 12% to £2.72 billion ($3.3 billion) for their fiscal year ending in September. Much of that did not come from audit however, deal […]


An Audit Associate at KPMG’s NYC Office Has Died

Ed. note: an earlier version of this article used male pronouns based on the information available at the time. We have been informed the associate was female, confirmed this information with the NYPD, and have updated pronouns in this article. We have also removed a link to a dubious outside source. I debated even posting […]