Please ensure Javascript is enabled for purposes of website accessibility

KPMG Mexico Could Be Facing Fine of Up to $1.6 Million For Huge Data Leak Blunder

kpmg general electric wells fargo

Mexican authorities said KPMG Mexico could be fined as much as 30 million pesos (about $1.57 million) for exposing the confidential payroll data of employees at 41 of its clients, which was housed in an unsecured database that wound up on the Internet.

According to El Economista, the National Institute of Transparency, Access to Information and Protection of Personal Data (INAI) will decide whether KPMG was in compliance with the requirements of Mexico’s federal laws on personal data protection and, if not, whether the firm deserves a hefty penalty.

Cynthia Solís, a partner with IT legal advisory firm Lex Inf, told El Economista that if KPMG is found to have violated federal data protection laws, “I think we are talking about a million-dollar fine, between 20 million and 30 million pesos.”

But if the INAI finds that the firm was compliant with the law’s requirements, the KPMG Mexico employees who were responsible for the data leak would be the ones fined, not the firm, Solís said.

But she added:

“At the outset, there is a well-founded presumption that KPMG did not correctly apply the physical, technical and administrative measures to safeguard this data.”

According to a seven-page confidential report, dated Feb. 22, KPMG Mexico said a “small group of staff” created an “unauthorized environment” in Microsoft’s Azure Blob storage service that was not secure. Kept in that database was information from digital tax receipts that the KPMG employees downloaded from the Tax Administration Service, the revenue service of the Mexican federal government, according to El Economista.

“It is important to re-emphasize that the database that was hosted in the unauthorized environment was installed with default settings, which resulted in it being accessible without a password to anyone on the Internet,” KPMG said in the report.

The report also states that an “unauthorized third party” gained access to the database.

“The small group then deleted the unauthorized environment—again, without authorization. Thus, it is unfortunately not possible, through recovery processes, to determine precisely what information was in the unauthorized environment or which information is potentially in the possession of any unauthorized third party. It is also not possible to determine precisely what Information, if any, was taken,” KPMG said.

As a precaution, KPMG Mexico has offered to all affected clients’ employees, whose information could have been in the unauthorized database, monitoring services provided by Experian Information Solutions Inc.

Some of the employee data that was allegedly exposed, according to El Economista, includes:

  • Federal Taxpayer Registry Codes
  • Unique Code of Population Registration (CURP)
  • Social security numbers
  • Bank account numbers
  • Salary information

Two KPMG Mexico employees, who were part of the “small group,” were fired, and the others have been suspended and are awaiting further disciplinary action pending the results of an internal investigation.

Latest Accounting Jobs--Apply Now:

Have something to add to this story? Give us a shout by email, Twitter, or text/call the tipline at 202-505-8885. As always, all tips are anonymous.

Related articles

Treasure chest on the beach

KPMG Gets Sued, Accused of Allowing Pirate-Like Activity at Credit Suisse

Discountenanced Credit Suisse stockholder Gregory Stevenson is suing 29 of Credit Suisse’s current and former directors and officers, the bank’s ex-auditor KPMG, and various KPMG henchmen on behalf of investors alleging the firm looked the other way while aforementioned directors and officers plundered the bank for more than a decade. The docket number is No. […]

moving boxes

KPMG Might Be the Next Big 4 Firm Ditching Its Downtown Atlanta Office

In March, Atlanta Business Chronicle reported Deloitte did not renew its 260,000 square foot lease at 191 Peachtree St in downtown Atlanta. Now KPMG might be joining them in looking to downsize from downtown space. Deloitte’s decision may have something to do with this: Violent protests over long work weeks tonight at Atlanta’s Deloitte office […]