Some data leaks are not what you might expect from their listing on a dark web leak site.
Today’s example is courtesy of a ransomware group that listed a medical practice on its leak site and then published the data.
Because it was a medical practice, DataBreaches started to inspect the data tranche.
To my surprise, there was no patient data.
Nor were there any office files or internal files for the named medical practice.
The entire data dump appeared to be from a tax preparation service in another state. The folder was called “LACERTE CLIENTS.” Lacerte is a tax software firm that markets Lacerte tax software. Its parent company is Intuit. Files in the leak included files going back to 2011 and up to 2024 for some named clients. DataBreaches did not examine all files, and did not spot any complete federal or state tax returns, but saw related forms, mileage forms, filing instructions for clients, and invoices for services the tax preparer had provided.
On July 25, DataBreaches called Dennis Horton, the tax preparer in Tustin, California whose name and address appeared on all of the files. Because his outgoing message indicated that he was away on vacation but would return the next day, DataBreaches left a detailed voicemail. The voicemail did not include the URL of the leak (who is going to read a lengthy onion address into a voicemail, right?) but left this site’s name and phone number.
Mr. Horton never called back.
On July 27, DataBreaches emailed him and repeated the message, this time sending him the names of some of his clients and their client number and the type of filings he had prepared for them.
Mr. Horton never replied.
Perhaps Dennis Horton of Dennis Horton Tax Services already knew he had been hacked or had a data security incident. Perhaps he already investigated and decided no clients needed to be notified. Then again, perhaps he didn’t.
DataBreaches also left a message for the ransomware group on their Tox asking them if they had just misattributed the leak to the wrong entity or if the tax data really was on the server for the medical practice.
They, too, never replied.