KPMG Mexico responsible unsecured database that resulted in Data Leak
Who: KPMG Mexico
# of Accounts Breached: Employees at 41 of KPMG Mexico’s clients.
What was affected: Confidential payroll data of employees.
When it happened: February 2019
How it happened: According to a seven-page confidential report, dated Feb. 22, KPMG Mexico said a “small group of staff” created an “unauthorized environment” in Microsoft’s Azure Blob storage service that was not secure. Kept in that database was information from digital tax receipts that the KPMG employees downloaded from the Tax Administration Service, the revenue service of the Mexican federal government, according to El Economista.
Outcome: According to El Economista, the National Institute of Transparency, Access to Information and Protection of Personal Data (INAI) will decide whether KPMG was in compliance with the requirements of Mexico’s federal laws on personal data protection and, if not, whether the firm deserves a hefty penalty. Cynthia Solís, a partner with IT legal advisory firm Lex Inf, told El Economista that if KPMG is found to have violated federal data protection laws, “I think we are talking about a million-dollar fine, between 20 million and 30 million pesos.” But if the INAI finds that the firm was compliant with the law’s requirements, the KPMG Mexico employees who were responsible for the data leak would be the ones fined, not the firm, Solís said.