Please ensure Javascript is enabled for purposes of website accessibility

KPMG Mexico Could Be Facing Fine of Up to $1.6 Million For Huge Data Leak Blunder

Posted on by Jason Bramwell
kpmg general electric wells fargo

Mexican authorities said KPMG Mexico could be fined as much as 30 million pesos (about $1.57 million) for exposing the confidential payroll data of employees at 41 of its clients, which was housed in an unsecured database that wound up on the Internet.

According to El Economista, the National Institute of Transparency, Access to Information and Protection of Personal Data (INAI) will decide whether KPMG was in compliance with the requirements of Mexico’s federal laws on personal data protection and, if not, whether the firm deserves a hefty penalty.

Cynthia Solís, a partner with IT legal advisory firm Lex Inf, told El Economista that if KPMG is found to have violated federal data protection laws, “I think we are talking about a million-dollar fine, between 20 million and 30 million pesos.”

But if the INAI finds that the firm was compliant with the law’s requirements, the KPMG Mexico employees who were responsible for the data leak would be the ones fined, not the firm, Solís said.

But she added:

“At the outset, there is a well-founded presumption that KPMG did not correctly apply the physical, technical and administrative measures to safeguard this data.”

According to a seven-page confidential report, dated Feb. 22, KPMG Mexico said a “small group of staff” created an “unauthorized environment” in Microsoft’s Azure Blob storage service that was not secure. Kept in that database was information from digital tax receipts that the KPMG employees downloaded from the Tax Administration Service, the revenue service of the Mexican federal government, according to El Economista.

“It is important to re-emphasize that the database that was hosted in the unauthorized environment was installed with default settings, which resulted in it being accessible without a password to anyone on the Internet,” KPMG said in the report.

The report also states that an “unauthorized third party” gained access to the database.

“The small group then deleted the unauthorized environment—again, without authorization. Thus, it is unfortunately not possible, through recovery processes, to determine precisely what information was in the unauthorized environment or which information is potentially in the possession of any unauthorized third party. It is also not possible to determine precisely what Information, if any, was taken,” KPMG said.

As a precaution, KPMG Mexico has offered to all affected clients’ employees, whose information could have been in the unauthorized database, monitoring services provided by Experian Information Solutions Inc.

Some of the employee data that was allegedly exposed, according to El Economista, includes:

  • Federal Taxpayer Registry Codes
  • Unique Code of Population Registration (CURP)
  • Social security numbers
  • Bank account numbers
  • Salary information

Two KPMG Mexico employees, who were part of the “small group,” were fired, and the others have been suspended and are awaiting further disciplinary action pending the results of an internal investigation.

Related Posts

Alterra Blows Off Proxy Advisors; Recommends Shareholders Reappoint KPMG as Auditor

After all the hubbub over the PCAOB inspection report that was brought to light by Bloomberg’s Jonathan Weil, including two recommendations by proxy advisors Glass Lewis and Institutional Shareholder Services Inc., Alterra Capital Holdings has recommended to its shareholders that they vote “FOR” the ratification of KPMG as the company’s independent auditor.


From thc.gov/Archives/edgar/data/1141719/000093041311002842/c65254_defa14a.htm”>SEC Filing dated April 19th (all emphasis is original):

TO THE SHAREHOLDERS

We are writing to bring your attention to a disagreement between Alterra Capital Holdings Limited (the “Company”), on the one hand, and each of ISS Proxy Advisory Services and Glass Lewis (each, a “Proxy Advisor”), on the other hand, with respect to the recommendation by each of the Proxy Advisors to vote “against” the Company’s proposal to ratify the appointment of KPMG Bermuda as the Company’s independent auditors for fiscal year 2011 and authorize the Company’s board of directors (the “Board”) to set the remuneration of the independent auditors at the Company’s Annual General Meeting of Shareholders scheduled to be held on May 2, 2011. The Proxy Advisors’ recommendations are primarily related to a report issued by the Public Company Accounting Oversight Board (the “PCAOB”) regarding the Company’s auditors, KPMG Bermuda. The PCAOB is a nonprofit corporation established by the U.S. Congress to oversee the audits of public companies. One of the principal roles of the PCAOB is to perform inspections of the audit files of accounting firms that conduct public company audits. Each audit firm is selected by the PCAOB for inspection at least once in every three years.

In November 2009, the PCAOB reviewed KPMG Bermuda’s 2008 audit files of a public company client located in Bermuda in connection with a routine periodic inspection. In March 2011, the PCAOB publicly issued its findings in a report dated January 28, 2011 (the “PCAOB Report”). Although the PCAOB Report did not identify the public company by name, an article posted on Bloomberg News on March 30, 2011 alleged that the public company client at issue was the Company (formerly Max Capital Group Ltd.). The Company confirmed that it was the client referenced in the PCAOB’s Report in a Current Report on Form 8-K dated March 31, 2011.

The Proxy Advisors’ recommendations also cite concerns that certain of the Company’s directors and officers previously worked at KPMG.

For the reasons set forth below, the Board disagrees with the Proxy Advisors’ recommendations to vote “against” the Company’s independent auditor proposal. The Board unanimously recommends that you vote “FOR” the ratification of KPMG Bermuda as the Company’s independent auditor.

Since this decision by the Board might not sit well with a few people, they’ve carefully laid out the case as to why sticking with the House Klynveld is the right thing to do. They are as follows:

1. The PCAOB Report did not question the Company’s valuations that are reflected in its financial statements.

2. The PCAOB Report did not impact KPMG Bermuda’s unqualified opinions on the Company’s financial statements in 2008, 2009 and 2010; there was and is no restatement issue.

3. The PCAOB made similar findings regarding all four major accounting firms.

4. The Audit and Risk Management Committee was aware of the PCAOB review and made an informed decision in recommending KPMG Bermuda as the Company’s Independent Auditor for 2011.

5. KPMG Bermuda is independent from the Company.

6. The Audit and Risk Management Committee will reassess KPMG Bermuda’s qualifications and suitability in 2012.

Just a few thoughts on some of these:

• It’s not the job of the PCAOB to question the Alterra’s valuations. That’s what KPMG was supposed to do. The PCAOB said KPMG did a lousy job of getting enough evidence to support those valuations.

• Just because there wasn’t a restatement doesn’t mean the auditors did their jobs correctly.

• Admitting that “all four major accounting firms” had similar findings says a lot about what the Board thinks of auditors.

• Is point #5 supposed to be a reminder for the shareholders that have no business acumen whatsoever?

• Point #6 could be better stated as “Our Board is getting good at jumping through hoops. See you next year.”

Any other thoughts? Leave them below.

U.K. Accounting Regulator Chides KPMG For ‘Unacceptable’ Decline in Audit Quality

And here I thought Phil Mickelson’s meltdown on the 13th green at the U.S. Open […]

Rumor Mill: KPMG Restructuring Plans

Thumbnail image for PomeranianSP1324.jpgWe’ve finally received some details on a possible restructuring at the House of Klynveld in the U.S.
According to our source, the plans were announced over the past week on a series of calls by Tim Flynn. The firm would be consolidated down to two regions, East and West and each would have a regional managing partner and one service line managing partner per region.
This would result in the elimination of one level of regional leadership and would transfer several partners into client-facing roles.
The restructuring would also include placing some partners on ‘profit improvement plans’ and some layoffs would occur over the next year. Additional staff layoffs would occur across all ranks over the next year as well.
The bad news is obvious. The silver lining, as some of our other sources have indicated, is that the Firm would be eliminating at least one level of bureaucracy that should allow partners to be more active in developing potential client relationships.
Messages left with KPMG were not immediately returned. We’ll update you with any response that the firm gives us.
If you can expand on of the details we mentioned on this restructuring, let us know, otherwise, discuss your thoughts in the comments.
Earlier: KPMG Atlanta Shake-up Makes Us Wonder
UPDATE, 4:45 pm: Regardless of this rumor, we learned a short time ago that KPMG admitted thirty-six new partners last month. Seventeen in Audit, twelve in Tax, and seven in Advisory. Congrats to the new partners! No, seriously. Good job.

One thought on “KPMG Mexico Could Be Facing Fine of Up to $1.6 Million For Huge Data Leak Blunder

  1. Pingback: List of data breaches and cyber attacks in April 2019 – 1.34 billion records leaked – Blog – PMC Technology

Comments are closed.