KPMG Mexico confirmed that at the end of January 2019 it detected "that certain information of some clients was compromised before an unauthorized third party", for which reason it initiated an investigation and took "decisive corrective actions with due diligence". This leak of information, which lasted from November 2018 to January 2019, exposed the view of anyone with access to the Internet personal and tax data of employees of at least 41 clients of the consulting firm in Mexico, published El Economista on Sunday.
"For reasons of confidentiality with our clients, we are not in a position to provide additional details, although we are undoubtedly working closely with the clients involved," said Roberto Cabrera Siles, KPMG Mexico partner in charge of media communication, in an email sent to this medium.
El Economista published that employees of KPMG Mexico downloaded without authorization from their owners millions of digital tax receipts (CFDI) from the Tax Administration Service (SAT) and with them created a database that was exposed on the Internet, without passwords or security controls, between November 2018 and January 2019. It is estimated that the data leak volume is 4.98 million documents.
In a confidential internal report dated February 22, KPMG Mexico details that a "small group" of company employees used Microsoft's Azure Blob Storage storage service to host confidential information without passwords nor security controls, so these data were in view of anyone with access to the Internet for three months.
Among the corporations affected by the leak of personal and fiscal data are the insurer General de Seguros, S.A.B., the industrial conglomerate Grupo Bocar, the Grupo Empresarial Ángeles Hospital, and the soccer club Gallos Blancos S.A. of C.V., the PharmaCon pharmacies of FEMSA, the ITESO University, the Premier Club of the airline Aeromexico, the steel companies ArcelorMittal, ThyssenKrupp, and the fund manager for the retirement Profuturo GNP.
In the internal report addressed to clients, the company makes a detailed account of what it called "information security incident" and assures that these "actions were very serious violations of our policies"; KPMG informs that it dismissed two people from the development team and that he filed a criminal complaint with the Public Ministry.
In the communication sent to El Economista on Monday, Cabrera Siles assured that on February 26, the data protection authority, Inai, "requested information to KPMG in Mexico regarding this event." For reasons of confidentiality and that the investigation is ongoing, he added, "we can not comment on anything additional."
According to the communication from Cabrera Siles, KPMG Mexico "KPMG's security and information protection programs are among our highest priorities. Our ability to provide high-quality services that our customers expect has not been affected in any way."
He added: "We deeply regret this incident and are committed to working with our clients and other related parties to continue protecting their information."
With this customer data leak, KPMG Mexico joins a growing group of companies in Mexico that have registered leaks of personal data, such as Hova Health, involved in the exhibition of 2.34 million electronic clinical records of Seguro Popular de Michoacán beneficiaries in 2018; the transport services company Uber, which was the victim of the theft of personal data from almost 1 million Mexican users in 2016, and the digital native media Cultura Colectiva, which exhibited 450 million records with information from Facebook users in 2019.