B&K Issues Cyber-Attack Notice

Data belonging to an Illinois-based accountancy firm has been exposed in a cyber-attack. 

Bansley and Kiener, also known as B&K, is a 99-year-old full-service accounting firm headquartered in Chicago. 

Earlier this month, B&K issued a security notice stating that cyber-criminals had successfully targeted it using ransomware a year ago. 

“On December 10, 2020, B&K identified a data security incident that resulted in the encryption of certain systems within our environment,” stated B&K in its security notice. 

Upon discovering the digital incursion, the firm took steps to halt the ransomware’s spread and recover data encrypted in the attack. B&K also beefed up its cybersecurity measures. 

Believing the malware to be contained, the firm set out to determine how the incident had occurred and whether the attack’s perpetrators had stolen any data. 

Initially, B&K believed that none of its data had fallen into the hands of the cyber-criminals behind the attack, but the firm found out later that this was not the case. 

“B&K addressed the incident, made upgrades to certain aspects of our computer security, restored the impacted systems from recent backups, and resumed normal operation,” said the firm. 

“We believed at the time that the incident was fully contained and did not find any evidence that information had been exfiltrated from our environment. On May 24, 2021, we were made aware that certain information had been exfiltrated from our environment by an unauthorized person.”

After hearing the bad news, B&K launched an investigation, engaging the services of a cybersecurity firm to discover more about the attack’s impact. 

A year after the attack, the accountancy firm said it “cannot confirm specifically what information, if any, was viewed by the unauthorized person” who accessed its IT systems.

However, B&K did state that on August 24, investigators were able to confirm that information present on the firm’s systems at the time of the ransomware attack “included names and Social Security numbers.”

The incident has been reported to the HHS’ Office for Civil Rights in four reports as affecting a total of 70,941 individuals.

What’s Hot on Infosecurity Magazine?