On September 16, 2022, Berry, Dunn, McNeil & Parker, LLC confirmed that the company experienced a data breach after an unauthorized party gained access to sensitive consumer data through a compromised employee email account. The company’s official filing with the Attorney General of Montana did not indicate what type of data was leaked. However, based on state data breach reporting requirements, it appears likely that the breach involved consumers’ names, as well as their Social Security numbers, driver’s license numbers, state identification numbers, protected health information or financial account information. Recently, Berry Dunn sent out data breach letters to all affected parties, informing them of the incident and what they can do to protect themselves from identity theft and other frauds.
What We Know About the Berry, Dunn, McNeil & Parker Data Breach
According to an official notice filed by the company, on June 8, 2022, Berry Dunn began receiving reports from customers about unusual emails that appear to have been sent from a company email address. In response, the company secured its email system and initiated an investigation into the incident. This investigation revealed that the emails were sent from an account outside the organization. However, the investigation also confirmed that a single employee’s email address was subject to unauthorized access and that this email account contained sensitive consumer information.
Upon discovering that sensitive consumer data was accessible to an unauthorized party, Berry, Dunn, McNeil & Parker then reviewed the affected files to determine what information was compromised and which consumers were impacted. While the company did not elaborate on the type of information that was subject to unauthorized access, under Montana data breach laws, companies only need to report a breach if it involved consumers’ names, in addition to one or more of the following:
Financial account information,
Social Security numbers,
Protected health information, or
Driver’s license or state identification numbers.
On September 16, 2022, Berry, Dunn, McNeil & Parker sent out data breach letters to all individuals whose information was compromised as a result of the recent data security incident.
More Information About Berry, Dunn, McNeil & Parker, LLC
Berry, Dunn, McNeil & Parker, LLC is a full-service accounting and consulting firm based in Portland, Maine. The company provides its individual and corporate clients with a variety of tax and accounting-related services through nine locations in the United States and Puerto Rico. Berry, Dunn, McNeil & Parker employs more than 500 people and generates approximately $100 million in annual revenue.
How Do Criminals Hack an Employee Email Account?
Berry, Dunn, McNeil & Parker explains in its data breach letter that the recently announced breach was the result of an unauthorized party gaining access to an employee’s email account. While the company provided some details about what led to the incident, one fact the company did not discuss is how the unauthorized party was able to obtain access to the affected email account.
There are a few ways that hackers can access employee email accounts. However, most email-based cyber attacks involve an email phishing attack.
Phishing is a type of cyberattack in which a hacker sends an email from a seemingly legitimate source in hopes of obtaining login credentials or otherwise gaining access to a company’s computer network. Phishing emails are designed to look official; for example, they may contain the actual company logo and will most likely originate from an almost identical domain name. In the email, the hacker uses principles of social engineering principles to “trick” the employee into giving them the information they need to access the employee’s email account.
Most often, hackers request the employee’s login credentials or include a malicious link that, when clicked, takes the employee to an unrelated website. On the website, the employee is asked to either verify their information or download a file. In some cases, hackers will attach malicious files to the phishing email. If the employee installs the malware on their computer, this gives the hacker access to the company’s IT network.
Phishing emails are incredibly common. In fact, according to the Identity Theft Resource Center, in 2021, a third of all cyberattacks involved phishing. Companies can prevent phishing attacks, however, by training employees to be on the lookout for these fraudulent emails.
If Barry Dunn sent you a “Notice of Data Breach” letter in the mail, your information was leaked and may have been accessed by a hacker or other criminal actor. This can significantly increase the likelihood of identity theft or other frauds. However, there are steps you can take to protect yourself. To learn more about the Berry, Dunn, McNeil & Parker data breach and what legal options victims of the breach have, please see our recent piece on the topic here.