Please ensure Javascript is enabled for purposes of website accessibility

PwC Audit Client Gets Added to the List of Companies That Have to Send Out Letters to Customers About a Data Breach

stacks of paper in binders

Puerto Rico’s largest bank filed a data breach notification with the Maine Attorney General on August 14 related to the MOVEit ransomware attack that has so far snagged Deloitte, EY, and PwC. For once KPMG is thrilled to be excluded from the Big 4. EY client Bank of America sent a similar notice to its customers last week, that notice did not go into detail as to the why an accounting firm would have had access to this customer information like Popular’s does.

82,217 Banco Popular customers may be affected and all of them will be getting this letter which specifically mentions “compromised personal information” being provided to PwC as part of the firm’s audit work on the bank:

Dear [person]:

We write to inform you that one of our vendors, PricewaterhouseCoopers (PwC), has been a victim of a cybersecurity breach that included certain personal information of our customers. The breach involved the compromise of a software, MOVEit, used by PwC to transfer files for a small number of its clients, including Banco Popular de Puerto Rico (Popular).

As a public corporation that trades in the stock market, Popular is required to use the services of an auditing and accounting firm such as PwC. The job of auditing Popular requires, due to its nature, that Popular share client information so that PwC can perform certain independent validations necessary for Popular to issue financial statements.

Upon learning of the incident, PwC immediately launched an investigation and ceased using the impacted software. As a result of this investigation, it was determined on July 24th, 2023, that certain of the files compromised in the incident included personal information of our customers. The compromised personal information includes your name, Social Security number, mortgage loan number ending in , and mortgage-related fields.

The remainder of the letter explains to customers several ways they can protect their credit and offers two years of free monitoring from Equifax.

PwC has audited Popular for at least two decades, 2003 was the earliest annual report we could dig up in several minutes of searching. The bank is one of the 50 largest U.S. banks by assets and has operated in Puerto Rico for more than 125 years (more than 52 years in the mainland United States).

Story spotted on Cybernews: PwC breach spills into Banco Popular de Puerto Rico

One thought on “PwC Audit Client Gets Added to the List of Companies That Have to Send Out Letters to Customers About a Data Breach

  1. Per 2023 proxy: “PricewaterhouseCoopers LLP has served as the independent registered public accounting firm of BPPR [bank] since 1971 and of Popular [bank holding company] since 1991.”

Comments are closed.