Please ensure Javascript is enabled for purposes of website accessibility

Moss Adams Got Hacked, Y’all

Hope everyone is having a good start to 2020. We’re s-l-o-w-l-y easing our way back to normalcy at GC HQ and catching up on things we missed during the past week. Like Moss Adams disclosing a data breach, in which names and Social Security numbers of clients were exposed.

How many clients were affected? We don’t know yet. When did it happen? According to a letter to clients that was posted on the California attorney general’s website, Moss Adams said the breach occurred on Oct. 10, 2019:

On October 10, 2019, we detected unusual activity associated with a single Moss Adams employee’s email account. We immediately took steps to secure the account and launched an investigation. Our investigation subsequently determined that the impacted Moss Adams email account was accessed by an unauthorized third party and this account contained some of your personal information, although we do not know if your personal information in the email account was actually accessed by the third party. Please note that this unauthorized access was limited to information transmitted via email and did not affect any other information systems.

Could this breach have been prevented? Most likely. If Moss Adams didn’t use multifactor authentication or two-factor authentication security protocols, much like Deloitte when its global email server was hacked in 2017, that would be pretty embarrassing.

Per usual when companies of Moss Adams’ size get hacked, it has offered to pay for identity theft protection and credit monitoring service for those affected:

[O]ut of an abundance of caution, we are offering you a one-year membership to TransUnion Interactive’s myTrueIdentity credit monitoring and identity restoration service at no cost to you. This product provides you with premier credit monitoring and identity theft resolution, including up to $1 million of identity theft insurance coverage. To receive these services, you must be over the age of 18, have established credit in the U.S., have a Social Security number in your name, and have a U.S. residential address associated with your credit file.

You can follow the recommendations included with this letter to help protect your information. Specifically, we recommend that you review your credit report for unusual activity. If you see anything that you do not understand or that looks suspicious, you should contact the consumer reporting agencies for assistance using the contact information included with this letter. In addition, you can enroll in the free credit monitoring services that we are offering to you through TransUnion Interactive. Enrollment instructions are included with this letter.

We’ll continue to monitor this situation. In the meantime, if anyone at MA has any additional info about the breach, hit us up by email or text/call us on our tips hotline (see below).