38 Minutes of Access: Inside a Real Tax Office Hack
There may be errors in spelling, grammar, and accuracy in this machine-generated transcript.
Roger Harris: Hello again everyone. It's another federal tax update podcast. This is Roger Harris and joined as always by Andy Schwab. Andy, how are you today?
Annie Schwab: I'm doing pretty good. It's finally fall here in Dallas.
Roger Harris: You know, I can't believe that 2025 is almost over.
Annie Schwab: I know that's scary.
Roger Harris: I mean, we are it seems. I can remember when it just started, but now again, [00:00:30] I don't know when you're listening to it. I know when we're recording it, you know, we're in November. Thanksgiving's around the corner. And then there's the Christmas season and holidays, so. Oh, well.
Annie Schwab: And guess what? There's still a government shutdown.
Roger Harris: Yeah. And gosh almighty. Hopefully they'll end that sometime soon because it's getting a little petty right now that they can't agree on anything. Makes it wonder how the whole thing's going to work going forward. If they open the government back up, can they get anything [00:01:00] done since they can't even agree on opening the government. But anyhow, we'll deal with that whenever. Hopefully by the time we do another podcast, the government will be open. And uh, again, we're going to be talking later on with some, uh, ex people from the IRS that will announce later that, uh, we'll be talking about how is this impacting the filing season for us next year? What's the IRS going to be able to do and not do and whether we'll be able to? I [00:01:30] don't think it's going to be a normal tax season. The question is how far from normal will it be? But okay, let's get back to today because we're excited about what what is happening today. Uh, again. Well, this is we just mentioned we're filming this in early November and we're in the PTEN renewal season, which is not a big deal. I mean, I'll just go there, pay a little fee and get it, but we all check a box that indicates that we have a wisp, and we have all this great security and all these things in place. [00:02:00] And I hope that we're all checking that box because it's true, not just because we have to check the box, but we're going to revisit.
Roger Harris: If you've been a long time listener to this podcast, you heard us early on, uh, have a podcast with, uh, Kathleen Maley, who was a practitioner who had a breach, and she shared her story. Then not too long ago, we had Glenn Gizzy, who works for IRS stakeholder liaison, [00:02:30] talk about the same type of issue, but from their perspective and other things that they do. But we spent a lot of time talking about how the IRS responds, um, in the case of a practitioners breach. And today we're going to bring, uh, another story to you. This one is part of our family, uh, John Barucci, who was a franchisee of ours right outside of Boston. And and you'll introduce him in a minute, who had another experience. And I'd [00:03:00] have known John for a lot of years. And I know John does things the right way. So this isn't because he was negligent or he didn't do something right. It's a story that we want to reinforce the importance of doing everything the right way and reacting quickly, because, again, John did everything the right way and it still can happen to anybody. So we're happy to have John join us today. So, Annie, why don't you introduce John and let's kick it off and let him tell his story.
Annie Schwab: Yeah. So you hit [00:03:30] the nail on the head saying, you know, it can happen to anyone. That is exactly what people think. That won't happen to them until it happens to them. But thank you so much for joining us today again. John, a pageant franchisee, been with us for many years. Um, and I'm happy to have you. I'm sorry to hear your experience, but I think it's a story that others can learn from. Um, and hopefully take take something away from this podcast today that will protect them and their clients moving [00:04:00] forward. So John, welcome. Thank you for joining us. And I'll turn it over to you.
John Barucci: Thank you very much, Annie and Roger. Thank you as well. And you know, unfortunately, I'm sad to unfortunately have to be here for this podcast.
Roger Harris: For this reason. Yeah, we wish it was for something else for sure.
John Barucci: But, um, it's important. And, you know, I mean, I it's been a journey and, and it isn't entirely complete, but I do I appreciate the opportunity to tell the story, uh, about what happened [00:04:30] to me. And, uh, and for sure, um, you know, I didn't think obviously this would have happened to me, but I just kind of want to go through it, and and I guess bear with me as I tell the story. I'm going to try to be as succinct as I can and kind of as an overview, I wanted to kind of just let everyone know, um, kind of what I had in place in advance of this and then the chronology of events, and then I'm more than happy to. As you as you wish to [00:05:00] ask questions, please do so.
Roger Harris: Yeah. Go ahead and tell them what you did to get ready. And then I want everybody to pay particular attention to what you did afterwards, because he did everything right, followed all the rules when this happened. And so the results were a lot better than they could have been.
John Barucci: Yeah. So I mean, in place pre-event, uh, you know, I had my general liability insurance, I had my cyber insurance, um, and I had my, the security investments that I had made prior to the event included firewalls. [00:05:30] And I had this RMM, which is that remote monitoring and managing of the endpoints, which I didn't really know what it all meant, but I knew I had I knew I had sounded good. Yeah, it sounded all good. Um, and I was a client of Fi, which I frankly don't even know if we still have a relationship with them, but they have training, and they had awareness courses that my employees and myself were involved in and, and part of that was developing a, a written, a written [00:06:00] plan for the unlikely event this would happen. So my chronology of events, the initiating event, and this all kind of in the back story here, is that I had a forensic, um, team that did some investigation that kind of put together some of the things that happened. But in the, in the, uh, you know, in the moment, uh, what what actually happened was, um, that I had an event that occurred, uh, whereby I had, uh, I clicked on a link [00:06:30] to, uh, what I thought was the Social Security Administration, uh, indicating to me, uh, that they were sending me, um, some information on, um, an account, uh, that I had, uh, I had earlier in the week, earlier in the week, I had, uh, had reached out to them about, a record of account on, uh, on Social Security, uh, history. And I thought that's [00:07:00] what this was. So I clicked on the attachment, which of course was a malicious attempt to get in.
Annie Schwab: And so you didn't know right then?
John Barucci: No, I didn't know right then. This was back in August. The date was August 12th. Okay. Um, and then, uh, so so that was the that was the event that that that kind of precipitated everything that happened. Um, the breach actually occurred on Wednesday, September 10th.
Annie Schwab: Okay. And so just before the deadline. Right.
John Barucci: Yeah, [00:07:30] exactly. Um, and so at that point, Wednesday, September 10th, early in the morning, um, through that link, they were able to remotely access my, uh, my, my, my desktop and, uh, and it was through a piece of software which was a remote access software. So the software itself wasn't malicious. It wasn't some piece of malicious software. It was it was a remote. It was downloaded to [00:08:00] my desktop. Unbeknownst to me was something like go to my PC and it allowed them to get into my desktop. And from that point, um. Uh, 331 in the morning. And if if you can bear with the chronology, um, I got a two factor authentication on my phone, uh, indicating that there was an attempt to access the tax software. It happened again two minutes later at 333. So I had. So as we go through this [00:08:30] on September 10th, there was a second attempt to get there. Um, and then again at 333, as it turns out, um, the through the Thomson Reuters software, you were able to then if you can't get through on that initial initial, uh, phone authentication, you can then go to an email as a backup. And so that I at that point they were able to get the code through my outlook, uh, [00:09:00] and find uh, the code to get then into the software.
Roger Harris: Now I gotta ask you a question. Were you awake at this time, or did I wake you up when.
John Barucci: I rarely sleep and and my phone is always alerting, so I, I heard it, but but it it didn't dawn on me at that point that that this was a problem. Uh, so three 333 the, the I didn't hear the the email backup alert, the first two come to my [00:09:30] phone. So I got that. And at that point, five minutes later, the bad actor had already accessed the first client. Um, so client one had been accessed and, and through the forensics, we found at this point between 338 and 3, 3344. In the morning, the first client had been accessed, banking information had been changed, income had been adjusted. And uh, they then at that point went [00:10:00] to, to send it to transmission. And if as you we all well know, when you send a file to transmission to Thomson Reuters, there's another alert that comes on. Right. And that was the 344 in the morning. So uh, that then also came to my phone at that point. Uh, I was awake and.
Annie Schwab: Yeah, I bet you were.
John Barucci: I was, I was, I was on my I was on my way to the office. Um, because this didn't make sense. Still not [00:10:30] overly concerned, but they had made the, uh, they had made the alert to my phone, and then they went to the backup email. 344 a same, same moment. And then they transmitted the first file to Thomson Reuters same moment. So 3:44 a.m. the first file went um, Between 347 and 3:48 a.m., a second client was accessed. There was no data altered. They closed the file. 348 to 352. In the morning, the third client [00:11:00] was accessed. There was no transmission to the IRS, but they made some changes to the client file. As I found out later. Um, so.
Annie Schwab: They were basically changing it to create larger refunds. Is that whatever?
John Barucci: Right. So so income is being income was being reduced on schedule C, um, charitable contributions in this particular case is third client were being increased. Um in in some of these client cases there were there were a total of [00:11:30] nine clients access. Um, there were other things as I'll get into uh, that were being done that were sort of clever, uh, on their part, but uh, income was being adjusted, uh, either, uh, down and deductions were being adjusted as well as interestingly, there were some refunds that were being applied to next year. Um, really odd year for the client, but because they increased the refunds so much, [00:12:00] it was. You've heard the saying pigs get fed, hogs get slaughtered.
Roger Harris: Yeah.
John Barucci: And so they were adjusting things so that it might not quite seem so alarming that.
Roger Harris: Or it might do you know, if the clients were going to get the same amount of Plaid that was on their return, so maybe they wouldn't even notice?
John Barucci: Not exactly the same amount, but close enough that that might not necessarily have alerted.
Roger Harris: Um, two other quick comments, John, but sorry, one of the reasons I asked about were you awake [00:12:30] is this shows how smart they are. They figured who in the world is awake at 330 in the morning when they're doing all this? Right. So, uh, they're smart enough to know when to do it. And secondly, because I've heard this so many times when I've been around people, I don't have to worry about it. I got multi-factor authentication. Well, you need not. Don't take this wrong. You want multi-factor authentication, but that by itself didn't stop them.
Annie Schwab: Well, and they had to have known the software because it's like minutes. They're they're in [00:13:00] it. They're changing it. Then the next client, the next client, the next client. So it's somebody who is familiar with, you know, the e-filing process, familiar with, you know, the software, the data entry screens, how to get past any kind of like e-file diagnostic because it wouldn't have gone if they had, you know, hadn't cleared all the diagnostics. Um, so, you know, somebody, whoever this was, um, definitely knew their way around in the software and they moved very quickly.
Roger Harris: And I'm sure they know every [00:13:30] software and probably, you know, somebody out there knows them all.
John Barucci: Yeah. Let me add to that, that that the initial access, the access point, the software is downloaded August 12th onto my computer. And all this action happened September 10th. So so this is particularly just speculation. But but you're right. The actor that came in on September 10th likely wasn't the actor. That was the one that got [00:14:00] the initial, you know, that that was fishing for this information. Right. So this was this was sold to somebody who who knew the software. I mean, this was this very likely was put out there some probably on the dark web or something. And somebody got it. Who knew? Exactly.
Roger Harris: Yeah. I was going to say that because I've been briefed that there is actually a dark web of where you can go and buy clients that have been accessed to hacked, however you want to describe it. Yeah. And [00:14:30] so it's usually the person who creates the entry point is not the person doing there's, you know, two different groups. The person that gets access to the information, who then sells it to the person who uses the information. So yeah, probably during that period from when they hacked in till the 10th, it was out there on the market and somebody bought it and knew what software you used.
John Barucci: And yeah, yeah, it's a funnel for sure.
Roger Harris: Yeah. Yeah.
John Barucci: And and so, you know, just kind of [00:15:00] going through this in real time, um, you know, 348 you know, the next client was accessed, more adjustments were made. 353 the next client was accessed banking. All banking information was changed. So the third client, uh, that was accessed, they didn't they didn't make a transmission. The fourth client that was accessed, both IRS and Massachusetts returns were transmitted after banking was changed. Um, fifth client, [00:15:30] same thing. Banking info changed and the US return was transmitted. And I think about this as this was September 10th. So you know, if this had happened early in the tax filing season. I might have had 30 right now. You know, as it stood on September 10th, I had, um, I might have had 35, 40 clients that hadn't been filed, you know, the clients that had been filed, you know, all the rest of them, uh, were already locked down. But, I mean, these were the ones that [00:16:00] were pending, if you will.
Annie Schwab: Right?
John Barucci: Yeah. Um, so six, uh, the sixth client, uh, at 4:06 a.m., was assessed, uh, at 407. The seventh client was accessed and transmitted to Thomson Reuters, uh, and then at 414, the eighth client was transmitted, uh, and I'm sorry, the the eighth client was, uh, accessed, but but was not transmitted. And then the final client, the [00:16:30] the ninth client accessed, uh, was the one at 415 to 416 in the morning when I walked in and, and, you know, still not worried about what was going. I didn't know any of this at the moment. I just walk in and see my desktop being manipulated and, you know, at that, in that moment, you know, for a split second, I was really grateful that Thomson Reuters was in my software. Fixing a problem, fixing something.
Roger Harris: Yeah, yeah.
John Barucci: You know, it's funny how your mind [00:17:00] works. And I'm like, God, I'm like, you know, they really they work. They work all hours. Uh, that lasted for about exactly a second until I grabbed the mouse and shut it down at 416. Nothing. You know, nothing got done there. But that client had, uh, income adjusted, banking info, changed, uh, and didn't realize that in the moment I closed the client out. So that was the that was the that was the the population of the breach event.
Roger Harris: And [00:17:30] I think you said something that you're telling this based on information you've gotten subsequent to this, when you're forensic, when you walked in there, you know, you didn't know in real time what you just said, that these nine clients had been done and what had been done. You walked in and saw somebody playing in your computer and figured it was Thomson Reuters. But this all came because of the forensic, uh, study that was done afterwards. So, yeah. Don't think you're going to walk in and know, oh, it's only nine clients or it's 900 or whatever it is, [00:18:00] you're not going to.
Annie Schwab: Know.
Roger Harris: In real time.
Annie Schwab: Yeah. I'm sure your brain was just like, what just happened? Yeah, I bet, I bet.
John Barucci: I was shaking. I didn't know and and I didn't know, but it, you know, and so and I didn't know at the moment. And then immediately I began to think about what just what just happened. Right. Right. And so I have a timeline of things that happened shortly thereafter, if you care to hear about them. [00:18:30]
Annie Schwab: Sure. No, we want to know.
Roger Harris: Yeah, exactly. Once you knew, you didn't know the magnitude of what had happened, but you knew something had happened.
John Barucci: Something.
Annie Schwab: Did you call first? Who did you call first?
John Barucci: Let's let's start with the actual timeline of events, because I do have it, and I have it through emails I wrote and saved and everything that has that happened subsequent to, you know, me literally shutting literally logging off the computer a minute later, I changed the password. [00:19:00] So, I mean, I've got an email from Thomson Reuters, um, at 417 in the morning where I changed the password to the sufferer because I didn't really know what was going on. Right. And I got that confirmation at 435 in the morning is kind of when the the shoe dropped because I got an email at 435, the auto responder email that we all get that acknowledges the receipt from the IRS that a return was filed and it was client number seven, the seventh [00:19:30] client that had been transmitted. And in that moment, I realized that this wasn't something that was. It was bigger than me. You know, something really did happen. Something really was going on. And that was at 435 in the morning. That acknowledgment coming through really let me know there was something dreadfully.
Annie Schwab: Wrong, a tax return you did not file and it was out of your control. Now you you can't stop it. Once it gets transmitted, you can't [00:20:00] get it back. Um, and so that's right.
John Barucci: And so from 436 in the morning till 11 in the morning I went through, I immediately started to go through the greeny. I tried to figure out, uh, in the software what has happened here. Like, you know, one return I was trying to think, did did I transmit this return? Like, was this like I wasn't still.
Roger Harris: You still don't know exactly what's going on.
John Barucci: Yeah. And I [00:20:30] and I really thought maybe I did, but of course I didn't. Um, and so I started to go through who has been transmitted. So it was an assessment period on my own of trying to figure this out. But I knew by, uh, by the late 8:00 hour that morning that I knew I had to initiate my, uh, my, my, my protocol for, uh, speaking to to the IRS. So I reached out immediately, uh, to the IRS liaison to let them know that I did [00:21:00] feel like I had a breach, um, and that and that I knew there were several returns that I believed were going to be received by the IRS. I knew how many, uh, had been transmitted because of that, that, uh, you know, looking at the looking at the files that how many had gone out. Uh, so I wanted to immediately get word out to the liaison.
Annie Schwab: Uh, do they, like, answer the phone like, hello? How are you doing?
John Barucci: No, no. Unfortunately not. [00:21:30] Uh, it was it was it was via email. Um, I went through the email process. I reached out to my area rep. The area I had gone on to the IRS, I, you know, and I had emailed the, uh, so I did that. And then I believe any later on you had suggested just reach out to all of them, uh, because somebody will hopefully get back to you. I of course, I called and left messages and so forth, but I reached out to my regional, uh, liaison, and I reached out to all of them, uh, later on. But [00:22:00] and then at 9 a.m., as soon as Thomson Reuters wakes up at 9 a.m., uh, when they open, uh, I called them to just let them know about the damage that I knew about, that there were five, five clients that had, uh, that had been submitted. And if there was anything they could do on their own on their end to stop the transmission, uh, to the IRS. Whether I know that that they say they can't, uh, but, um, I figured, [00:22:30] uh, you know.
Annie Schwab: Asking to ask. Right.
John Barucci: So that's what I did. 9 a.m. I was on the phone. I'm like, I've been breached. There have been unauthorized returns filed. If there's anything you can do, please do it. And I was on the phone with them for a period of time.
Roger Harris: So again, for people listening, don't think your software company can bail you out, because I'm sure there's a point at which that return is out of their control. It's on the way to the IRS. Let me ask you a question [00:23:00] about the IRS. This was obviously before we're in a shutdown. Now, this was before the government shutdown, but it was after some of the cutbacks. Is that correct when all this happened?
John Barucci: This was September 10th.
Roger Harris: So so there had been cutbacks at the IRS, but they weren't the government wasn't shut down yet. So we're dealing with a somewhat restricted IRS workforce, but at least everybody that had a job was still there versus where we are today.
Annie Schwab: Today. [00:23:30] Yeah.
John Barucci: And I would think and you knew way more about this than I do in terms of how the IRS, how what their composition is and, and, and where, you know, the core parts of the IRS that, that, that, that are just kind of nuclear. They don't touch. These are the parts that that must, must work. I would think that that the divisions within the IRS that involve security and involve, uh, you know, the practitioner groups in that sense, that those I mean, those are the parts [00:24:00] they have to try to maintain integrity around. Yeah. And client facing stuff.
Roger Harris: Yeah. Yeah. Today with the shutdown, there are what they call critical parts that are still working and have continued to work. The problem was actually probably worse when you were having this problem, because then it was up to the employee. They were taking these, you know, early retirement options. And and I know the stakeholder liaison department had a huge loss [00:24:30] of people through. Because if you remember when we were having all these layoffs, one of the complaints was that they weren't really thought through. They were just across the board. Get rid of 25% of the people, no matter what their job is. They've subsequently tried to bring some of them back. But I do know the liaison people, uh, commented that they suffered more losses than they would have. You know, in a normal let's cut everybody's workforce down by 10% or whatever the number was. They suffered a lot more than they [00:25:00] would have. That's why I'm trying to get a sense when, as we hear their response, putting it in the context of how were they impacted by the cutbacks. But this was before the shutdown, because you're right, in the shutdown, I would imagine this department has everybody still on board that they have because. But you're right.
Annie Schwab: But how experienced and trained they are. You don't know. They could have pulled somebody from somewhere else just to you know.
Roger Harris: Yeah. So. All right, John, back to you.
John Barucci: Yeah, sure. So. [00:25:30] Yeah. So later that morning, I had obviously taken the computer offline and brought it to the tech firm that I have that does all this stuff. And they, they did what they had to do to remove the software that obviously was on there. That allowed the access. Later that early afternoon, I contacted my insurance company and other, uh, to kind of obviously inform. And that was that day more, more or less, [00:26:00] uh, in a nutshell, the next day, um, I started the painful process of, uh, speaking to the clients I knew had been accessed through email and calls. Um, as to as to what what I knew in that moment had happened. Uh, the IRS liaison, uh, folks did, in fact, reach out to me within 24 hours.
Annie Schwab: Wow. Okay.
John Barucci: So that was that was really, uh. That was very heartwarming [00:26:30] to to get that, to get that outreach. And I'll also say, uh, you know, Cindy was fantastic at Paget. I spoke to her. I probably I believe I also spoke to you, Annie. You did right out of the gate. Um, and, uh, you know, it just it was kind of just surreal trying to trying to get my arm.
Roger Harris: What to do. Yeah. How'd the clients take it?
Annie Schwab: That's my question.
John Barucci: Yeah. So, uh, obviously they were concerned. They were, uh, they, you know, but but there wasn't any anything [00:27:00] directed directly at me. It was, you know, obviously they were concerned about their tax IDs and banking information and, and such and, you know, and how much information I could give them. I was just brutally transparent about what I didn't didn't know.
Annie Schwab: I think that's the right decision at that point. Like there's sugar coating. It's not going to help anybody.
John Barucci: No, no. Just letting them know, hey, you know, this is what I know. You know, this is all I know and this is what I know. And I'll let you know more when I know it. Um, but the liaison folks, uh, [00:27:30] provided me with information about what I should do. You know, they told me that another division in the IRS called the the Return integrity and Compliance services group. The Rick's group. Rick's would also be in touch with me in the near future. Um, and they also indicated the most immediate step was to get a new effin.
Annie Schwab: Of course.
John Barucci: And so, um, that process was it was a quick process as well, [00:28:00] calling the help desk. Uh, I was in and out of that call in an hour. Uh, having my old fin that I've had for 30 years. Uh. Suspended and.
Annie Schwab: Suspended. Yeah.
John Barucci: And a new one reissued instantly that I could then put into the tax software and continue on.
Annie Schwab: I don't know if the fin is open during the shutdown that that may not have. I mean, a one hour turnaround time is amazing. I don't know if that would happen now.
John Barucci: Yeah, that I don't I [00:28:30] don't know either. I do I do know that I was I didn't hang up the phone. I mean it literally on the phone and off the phone with a new effin. I had gone into my, uh, whatever account it's called with the tax pros. I was able to see the application. I fired it off to Thomson Reuters the next day. They approved it, but even before then, I had put it in my tax software and was already off filing.
Annie Schwab: You are almost up and able to file again within two days. One day?
John Barucci: Yeah. One day. Yeah. I mean, I already [00:29:00] transmitted to them they just had to approve the application. I got the IRS letter a week later, but they took the, the, the applied for application or the the acknowledgment within my tax pros account as kind of gospel for them, allowing for me to continue on. So have you slept yet?
Annie Schwab: I'm just curious. Did you go back to sleep yet?
John Barucci: No. Uh, well, yeah. Yeah yeah. It's like just just barely. But yes I boy it was, it was, it was tough. [00:29:30] But I knew I you know it's it was game day. I mean you know you got to be up I mean when this is going on I mean, you know it's it's important. And that's a really great point. You know, the weight of, of the of, of what we all handle as tax practitioners, as, as franchisees for this personally identifiable information for our clients data. It's really it's it's, it's, it's a, it's a weighty responsibility. And and and that is something that, you [00:30:00] know, when we go through the motions every year and it's the same thing, it's important to understand. And we take for granted that our clients really they trust us to give them good information. But we hold the keys to the kingdom for many, many people.
Roger Harris: Oh, yeah. And you said one thing that, you know, I want to add one comment. What one thing I heard is because you had a plan and you executed it. You are back and running in 24 hours. I mean, you were able to keep your business going 24 [00:30:30] hours after the breach because you had a plan. You knew what to do. You knew who to contact. You did all those sorts of things. And in that 24 hours, you reached out to clients. Again, I can't tell you how often when I sit in sessions with with tax preparers, the stories you hear. Well, I didn't want to call my clients. I was afraid to call them. And, you know, so just made the problem worse because now those clients, they don't they're not aware of the problem. Who knows what else is happening because of the data that you just mentioned that we have. But you did everything [00:31:00] right. The problem wasn't solved. You still had issues that we'll hear about, but you were up and running within 24 hours because you knew what to do. You knew who to call. You had a plan. And because it could have been a whole lot worse because you had a corporate deadline a few days out and then October 15th. And just imagine if you'd have been delayed weeks.
John Barucci: Exactly, exactly, Exactly. And exactly. Um, so the very next day after. So that was day one post [00:31:30] breach. Uh, that's what what happened? Day two I contacted my local, uh, Westwood Police Department, filed an incident report. I was in there, uh, early in the morning, um, and made that report. I have a copy of that report. Uh, and then that was Friday. So that happened to be Friday, September 12th. And then nothing happens until Monday. Um, Thomson Reuters then reaches out to me. They have an operations technology group. So all this while [00:32:00] I'm thinking, you know, these returns have all been transmitted, but they they told me, uh, because I was able to reach out to them so quickly that they were in fact, able to stop. Um, so it was for clients and five tax returns.
Annie Schwab: Oh, one state.
John Barucci: One state, four clients, five tax returns of those. So they informed me that they were able to stop four of the five returns from being submitted to the IRS. [00:32:30] Three three IRS and one Massachusetts Department of Revenue return, uh, were able to be stopped. So that one acknowledgment that came through at 435 in the morning was the.
Annie Schwab: Only one that really got through.
John Barucci: That got through.
Annie Schwab: Yeah. That's crazy.
Roger Harris: So that turned out to be a really bad deal. Whoever bought your clients because they only got one return, whatever, whatever they paid for your client list or your access, they only got one return through.
Annie Schwab: And the one that they did send, what was the refund like? Was it?
John Barucci: It [00:33:00] was honestly, no it was. It was under $2,000.
Annie Schwab: That's crazy.
Roger Harris: Yeah, well, they took a beating on that. Whatever they paid, they took a beating on that because I know they paid more than two grand for. Yeah, for sure, but I don't feel the least bit sorry for them. I hope they lost $1 million on that deal. Yeah.
John Barucci: Yeah, it was crazy. Um. Uh, that same day, uh, that and and and and that call they gave me, uh, Thomson Reuters gave me, uh, really, uh, the information that I [00:33:30] needed in order to really, uh, put together what I've already given to you, which is that timeline. They gave me the logs, so I got the log of access, and that log of access was confirmed by the forensic team that I hired to do the investigation. But that log of access I got on Monday, September 15th, that I that kind of validated what I more or less already knew.
Annie Schwab: Quick question. How did you find this forensics team? [00:34:00] Was this something you had selected?
John Barucci: Insurance. So when I contacted my my cyber policy, they already had a legal team sorted and they had a forensics investigation team sorted. And the, uh, and the legal team has, uh, we're executing it as of yesterday. Uh, the, the, uh, the company that is going to do the, the offering to the clients and the dependents and such, uh, that were breached or [00:34:30] that were, uh, that were exposed.
Annie Schwab: Okay. Okay.
John Barucci: Um, the whole business of, um, offering, uh, monitoring services and that sort of thing. So there's some compliance around that, that, um, that, that that's going to be, uh, something that I'm going to have to deal with.
Annie Schwab: So that's another important thing when you're selecting your insurance company, understanding exactly what coverage you have, what you know, what they can do in case of a breach like this because. Absolutely. Yeah. [00:35:00] Okay.
John Barucci: You know, and and that was something that you all, uh, you know, this isn't this year, this was several years back, you know, what about that cyber security policy? You know, general liability insurance doesn't necessarily cover cyber rider, you know. Right. And and my cyber and I did have a cyber writer, which was which was great. I mean, for this, this unfortunate circumstance. So and the cyber writer in the I happen to use the Hartford. Uh, so the Hartford is uh, [00:35:30] is the company that that underwrites below the, the general liability. And they, uh, there are parts to that cyber writer that include forensic investigation, legal and then, um, and then other offerings that, that, that involve like, uh, continuing monitoring and so forth. I mean, in the last two months, I've gotten letters just personally, uh, that my credit card, uh, company got breached, you know, and so those letters, you know, they offer the credit monitoring. And [00:36:00] so we have to do that, too. But that that costs money and and you need your cyber. You need that cyber writer.
Roger Harris: Well, you've you've made a couple of important points because again, all of us hate to spend money, you know, we'd rather find. But but it was important that you had a quality Software provider that had the resources that you needed that could step in, as opposed to necessarily the cheapest software. You know, it's one thing to just be able to calculate a tax return, but these other things can become extremely valuable [00:36:30] if you need them. You had great cyber insurance. They played a critical role. You knew who to call. I mean, these are all things that are easy to just kind of blow off and say, ah, that's too expensive or that's not important until you're sitting in John's chair.
Annie Schwab: Yeah, right.
John Barucci: Yeah, exactly. So the Ricks unit reached out to me on the fifth day after the breach, and, uh, and they, uh, and they wanted. So the the way the Ricks unit works is, uh, once a breach has been identified, [00:37:00] been reported, and there's that self-reporting that I did, uh, and they, they then offer you and opt into a practitioner relief program, which I didn't really know the first thing about. Uh, but they, uh, I'll explain what that is very quickly. But in order to get involved in that, you have to provide them your your entire individual client list for the year. Right. So that practitioner relief program involves essentially reporting to them [00:37:30] with 24 hours before you transmit returns to them, uh, who you're going to transmit and the and the metrics of that return. So Social security numbers, AGI refund banking information. They give you a spreadsheet that you have to send to them, uh, by 3 p.m. the day before that you transmit. And so there's a little bit of a process that goes on. But the idea behind that is the reason you would do this is so that you don't just [00:38:00] transmit to them. Uh, and then they send, they would be sending once they get the list of everyone in your database, then they're flagging them all. And so then those folks would just. Yeah, I don't.
Annie Schwab: Know, another layer of making sure that nothing gets through.
John Barucci: Nothing gets through. And if they already have an advance who you're filing, then they're not going to be sending that identity verification letter that holds up the processing of the return, never mind the refund.
Annie Schwab: Got [00:38:30] it.
John Barucci: That's the issue. There is they're not even going to process the return. They'll they'll get the return, but they won't process it until identity is verified.
Roger Harris: Right. And people who want their refunds, that's going to slow it down significantly.
John Barucci: Right. So so there's this opt in program that I learned about through this process. Um, a couple days later, I, in fact, did get my legal counsel, my forensics team, um, and then and then they did their investigation. I waited a week to send the IRS [00:39:00] the client list because, frankly, I was concerned, and I wanted to wait to talk to my legal team about my options. I wanted to make sure, uh, that, that this was the right move to make. And I needed I needed to get my legal sorted out before I just released everything. So I needed I needed to make sure that that this was 100% what I should do. And it's important. I mean, when you have legal representation, you want to act based on [00:39:30] their, uh, you know, their go ahead. And so since I had already secured that, I made sure that I was operating under their umbrella for my own protection, uh, you know, as well as clients and everything else. So I waited till Monday, the 12th day after the breach, after Rick's contacted me, seven days after the breach, I waited until the 12th day to actually send them that info and then and then move forward with it. So that was that was my timeline, my process there.
Roger Harris: But that turned out to be the right thing to do. It was. Yeah. [00:40:00] Because again, I keep I keep saying this, but I've heard very many instances where a lot of practitioners in your situation reached out to them when they heard that they had to furnish the list, they just said no and went away. Uh, because they had some of the same fears, I guess, that you did or they. But that's really a good thing. So if you're listening to this and you're in this position, John's telling you it's the right thing to do.
John Barucci: Uh, it is the right thing to do. [00:40:30] And, uh, you know, it's not knowing, you know, I'm I'm flying blind in that sense. And but I just wanted to make sure. But it absolutely. I mean, that that is the right thing to do.
Annie Schwab: Okay.
John Barucci: Um, so that was the 12th day after the breach, and then fast forward because there really wasn't any action, uh, since then until the 37th day. And that that brings us to October 17th, when my forensic team did, in fact have a meeting and produce [00:41:00] their, their, their findings, which essentially resulted in more or less what what I knew, you know, a couple of days after the breach when I got the logs from the software. Obviously there was there was the, the the bad actors had access to my email. But the tax software issue, the part that that was the that was the population. Yeah. Um, and yesterday, the 4th of November, I think today is the fifth or the sixth. A couple days ago Tuesday, um, my [00:41:30] legal team, I, they had reached out to me and they basically wanted, uh, after the meeting I had with forensics, they wanted a full list of all Social Security numbers that were breached. Um, they wanted to know because it wasn't just, of course, the client files. It was the spouses. The dependents.
Roger Harris: Sure. Um, yeah.
John Barucci: And so it. And so I provided my legal team with that information so that they can then, uh, furnish the necessary reports to the regulators [00:42:00] that exist in Massachusetts. I have clients that are in California, in New Hampshire. And so the jurisdictional issues involved with what? Legal. What legal requirements exist in those jurisdictions with respect to reporting? Uh, different. And so that's why that's why I have attorneys on the case there doing what needs to be done, uh, in wherever they are. So I guess in summary, um, yeah. For in [00:42:30] terms of what this was, uh, the the bad actors got into my tax software for 38 minutes. They accessed nine clients. Uh, it involved 27 individuals, taxpayer spouses and dependents. Um, there were five files transmitted to Thomson Reuters. Four were rejected. Uh, one was successfully transmitted to the IRS. And in terms of the look back on this, the kind of retrospective review [00:43:00] up to this point, you know, um, an ounce of prevention is worth a pound of cure. It's it's it's definitely an adage, but it's it's for sure. Um, you know, utilize some of the resources that that are out there. I think informing your, your employees, doing course awareness around what's happening out there in the space of security, um, they really have some courses and they and they constantly push stuff out. [00:43:30] And, and there are, there are simple and easy things that, that to do to do on a monthly or quarterly basis involving phishing, involving all these things that, oh.
Roger Harris: Everything.
John Barucci: We don't know, you know, and but it's again, it's an investment. It costs money to do these things. Uh, you know, it's but but it's, it's money. I think it's money well spent based on, uh, you know, certainly my experience.
Annie Schwab: I will say they're smarter than we are, and they're, they're coming up with [00:44:00] new scams faster than we can even understand the old ones. So you're right, having a company like defend or something similar to that, where you're getting the latest kind of tricks and tips and all the things to not just keep you, but you're right, your employees, um, aware because, I mean, it just takes, like you said, one click and now you're.
Roger Harris: There in and and if you think about your journey, John, you know, it was only small because [00:44:30] you happened to be awake. Number one, if you had been sleeping longer, it would have been larger. It's only small because you took the actions you had. I mean, a lot of the things that you were being done were being done because your insurance company jumped in and because IRS jumped in. And, I mean, this could have been I know you're a firm. We're not going to tell everybody what it's like here, but but your firm is so much larger than the damage. But it could have been the entire firm if. Yeah, if things had [00:45:00] gone differently. And and so first of all, you're to be credited for having taken it it seriously, you know, not just thought, you know, the way I started this thing, I got to check a box to get a PTEN. That's all I care about. You knew it was more than that. And you had all the place, all the pieces in place to protect you. When this happens, it's like every kind of insurance we buy. We don't buy car insurance because we want to run into other cars. You know, we don't buy life insurance [00:45:30] because we want to die. You know, we buy it because when we need it, it's there and it will get us through whatever the event is.
Annie Schwab: I do have a question for you. Ballpark. How much out of pocket did you have to spend? Not for the insurance policies and stuff, but you know what would you estimate all this post event cost you?
John Barucci: Um, in terms in terms of, uh, just over [00:46:00] and above what the policy covers, right?
Annie Schwab: Yeah.
John Barucci: Uh, so at the end of the day, it's going to be my deductible, which is $1,000.
Annie Schwab: That's amazing.
Roger Harris: Yeah.
Annie Schwab: And you didn't lose any clients? No. And what about the fraudulent refund? Who who covers that? How does the client get made? Whole.
John Barucci: Right. So the so the IRS when we. So what happened there with that one client that did in fact have a return accepted. [00:46:30] Um, we the process there was to submit the return on paper with an affidavit that indicated that, that the return that was, uh, in process was fraudulently prepared or filed and that that that this is going to replace that return. So the client, although it will likely take.
Roger Harris: Take a longer take a lot longer.
John Barucci: It'll take longer, maybe a few months. And with the government shutdown God only knows. But in [00:47:00] order to get that couple of thousand dollars refund, it Might. I don't even think it's a couple of thousand dollars. It's even less than that. Um, they're going to get that, that that refund that the IRS will, will honor that refund based on my, uh, based on the conversation that I had because that return was fraudulently submitted and they're and they're attesting to that fact. So the client and honestly, if I have to cover the refund as an advance, I've been a client a long time. I don't even care that that that doesn't even I mean.
Annie Schwab: That's and how long does the monitoring [00:47:30] go for all the monitoring?
John Barucci: I believe it's a year. I believe it's I believe it's a year long monitoring process. Uh, I believe that the, the cost of cover is for 12 months.
Annie Schwab: And what about IP pins did all these clients need to get or they issued IP pins. I mean, we we actually encourage, um, you know, better safe than sorry. There's there's no red flag. There's no downside of getting an IP pin. No.
John Barucci: And there.
Annie Schwab: Isn't.
John Barucci: Anybody can get them. Um, [00:48:00] and and we and I, I always encouraged IP pins. Uh, and and it's, it's, it's only it's only something that's required as somebody that actually had a fraudulent return submitted. Correct.
Annie Schwab: This 111.
John Barucci: Yeah. And and but everybody else you know that that was accessed that I spoke to that I knew about, I told them go get an IP pin. It's just for your protection. Uh.
Roger Harris: It's a good idea, but they don't have to do it, so they don't have to. So really, going forward, other [00:48:30] than keeping your insurance and doing all that, it's not going to impact you going forward as you file returns. Except for actually one client has to have an IP pin.
John Barucci: Right. And we have many clients that have them.
Roger Harris: Oh, sure. Yeah. Yeah. So it's a it's a, it's a, you know, again now that it's available everywhere I don't know why you don't have one.
Annie Schwab: Yeah. It's free to.
Roger Harris: It's it's free.
Annie Schwab: I mean it's not really it doesn't take a long time to get, you know, it's not time consuming.
Roger Harris: So. [00:49:00] Wow. What is your what is your kind of final message to. I mean, again, our audience is going to be people like you that prepare tax returns that hopefully, uh, have everything covered. But for those that have listened to your story, what what's the biggest thing you want them to take away from this in terms of what they should do?
John Barucci: Anybody, you know, this can happen. This can happen to any of us. And and we need to we need to, you know, just stay vigilant. Um, [00:49:30] I mean, you know, I, I like to think that I am very careful, but, I mean.
Roger Harris: I know.
John Barucci: You know, I mean, I, I mean, they're all it's just it just takes one mistake, one time for something to go wrong. You know, you click on one thing and, and you can have the monitoring software and you can have the firewalls and you can have the security and all of the other things. And it's just, it's just staying vigilant about, [00:50:00] you know, continuing to just be it's a very difficult. We live in a very we live in a time when when, as you say, the people there are people smarter than us. The the scams are, are more sophisticated. You know, um, I talking to people you can get, you know, if you're typing stuff into Google and you're getting search results, those search results, those top sponsored search results could be from a bad actor. You just need to be using pay for things, [00:50:30] uh, to do your to do your tax research. Don't do tax research on Google. Uh, I mean that's I mean something as simple as, you know, when you're. And I'm guilty of it too. I mean, you go on, you know, you're just looking for a quick answer and you just want to type into the browser. You know something? Don't save your passwords on a browser. Use Nordpass, use some kind of, you know.
Roger Harris: Some password manager.
John Barucci: Yeah, a password, a password manager. Keep things. Make sure you log off. [00:51:00] You know, although sometimes, sometimes, you know, it's easy to. It's just staying vigilant, doing the things that you know you're supposed to do. Because this can happen to anybody.
Roger Harris: Yeah. And I've known John for a long time and I and and he is vigilant. He does everything. But none of us are perfect. And that's that's what the bad actors know, that all of us, no matter how diligent we are, no matter how much we try to do everything right, sometimes [00:51:30] we get busy. We open something we shouldn't open. We do something wrong. So that's why we need this system in place. We need the wisp. We need the insurance. We need all this stuff there because they're spending every hour of their day trying to figure out how to catch the one time you let your guard down. And during busy season, you know, gosh, think about all the mistakes. We sometimes I can't remember how to get home. I mean, much less how to log off my computer or do things. I mean, it's, you [00:52:00] know, we we we're going to make a mistake and and we need to be covered when we do. And and if it can happen to John, I can promise you can happen to anybody. Because this is the last guy I would say. Yeah, I expected this. You know, this is it's not John, I can tell you that John did everything and you can tell by his story. He covered for the one time he made a mistake, as he called it.
Annie Schwab: And I will say, if you don't know wisp, it stands for Written information security plan. You can go [00:52:30] on the IRS website and type it in. And there's all kinds of guidelines and helpful resources there. Um, you know it. I will say you should review that wisp. Um, we we encourage our offices not just to do it, to do it, but actually do it and do it well and revisit it and, and update it, um, because if you need it, you want it to be ready to go. Just like John said, he knew exactly what to do because he had that and he had it prepared. He [00:53:00] had it ready. So, um, if you're, you know, thinking, oh, I don't know if I have it or I have one from several years ago, or I got a template off the internet and I've really barely read it. And then I put it in my desk drawer. Um, might be the time to to pull it out and make sure it's accurate. Update it. Um, consider some of the things that John said today. Um, and, you know, give it some thought, talk to your whole team about it. Your office, your employees, your everybody needs to know about it.
John Barucci: So [00:53:30] especially if you network together. And that's the other thing, you know, when you when you're working with a team, you have a team. And I'm sure everyone that has a team knows this. But it's worth mentioning again when you're when you have a networked group of computers, it just takes one employee to, to be, you know, uh, browsing the internet and, you know, they download something on their software. And that was one of the first things the forensic team said is how many computers do you have networked together? Because it [00:54:00] could be on anybody's. It could be anybody else. And then they can get in. They can get they can, they can go wherever they need to go so that that's, that's you know.
Roger Harris: Yeah. Yeah. Because it doesn't matter if you're perfect, if you have an employee or employees who aren't because they don't have to hack the owner, they just have to hack the system.
John Barucci: That's exactly right.
Roger Harris: Yeah. So, John, thank you. Um, thank you for sharing your story. I'm sorry it happened. Um, but [00:54:30] you did everything right.
John Barucci: Well, I'm glad.
Roger Harris: To share it.
John Barucci: And and honestly, I mean, this could have been a lot worse, as you said. And I'm happy to share it. I'm happy to talk to anybody that wants to, uh, to to talk about it. I'll be at the tech seminar. Uh, and I'm more than happy to, to, to to spend time discussing this anyway. Would like to.
Roger Harris: Yeah.
Annie Schwab: Well, thank you so much and hopefully we'll be coming back soon with a podcast with some more uplifting [00:55:00] news like, you know.
Roger Harris: Like the government's open and the IRS is working.
Annie Schwab: There you go. Yes. Everyone's still employed and all the things.
Roger Harris: So airplanes are still flying or whatever. Are we going to see.
Annie Schwab: But yeah.
Roger Harris: Well thank you Andy. Take us home. Thanks, John.
Annie Schwab: This is it. I think this was a great story. Um, again, like we said, we'll continue to to bring you podcasts, hopefully some more uplifting news to come. Um, definitely some tax season, kick off, year end planning type thing. So, [00:55:30] um, as always, I enjoy being here with you, Roger. And that's all I have for today.
Roger Harris: All right. Thanks, everybody. Thanks, John. Thank you. Be back soon. Bye, everybody.
