3 security takeaways from the IRS Littlejohn data breach

As victims of the IRS Littlejohn data breach receive notification, firms need to ensure their cybersecurity policies will protect client data.

minute read

Last Updated May 6, 2024

Category Cybersecurity

A man sits in front of a laptop in distress due to news of the IRS Littlejohn data breach.


The now infamous Littlejohn data breach should serve as a warning for accounting firms regarding cybersecurity. In April 2024, the IRS sent notification letters to victims of the breach, thrusting the story back into the news.

Here’s a little history: Charles Littlejohn worked for massive law firm Booz Allen Hamilton when, between 2018 and 2020, he illegally obtained from the IRS the tax return information of high-ranking government officials and thousands of wealthy individuals. He then turned the information over to media outlets, one of which published a series of articles that exposed taxpayers’ sensitive financial information. 

The breach was massive—the largest successful attack on the IRS in recent history and perhaps of all time. Notification of the breach is likely to trigger a wave of lawsuits targeting the IRS, some of which are already underway. Booz Allen Hamilton is also facing lawsuits. Littlejohn began serving a five-year prison sentence in January. 

What accounting firms can learn from the Littlejohn data breach

There are a few primary lessons accounting firms can take from the Littlejohn data breach, which struck right at the heart of their business: tax information.

1. Tax data is valuable data

Littlejohn targeted the tax returns of wealthy and powerful individuals. He likely understood the value that type of information would have to media outlets, at least one of which showed no hesitation in publishing it. While your firm might not serve billionaire clients, you do manage some of the most sensitive and valuable data a person can possess.

That data is a prime target for cyberattackers who might seek to collect a ransom, extort a client or even embarrass someone publicly. Accounting firms need to have far stronger security capabilities and policies than most other types of businesses. Running your own in-house server is risky. Trusting a cloud partner to let experts protect your data is a much safer and easier option—and it often ends up being less costly.

2. Be careful who you let access your data

Littlejohn worked for an IRS partner. It’s unclear legally whether that made him an IRS employee. But the greater point here is that your firm has to vet its partners carefully. Booz Allen Hamilton has more than 30,000 employees; your partners are almost assuredly much smaller. You need to make sure you absolutely trust any company you do business with, and you need to make sure your partners have some cybersecurity awareness. One small company nearly lost $500,000 when a partner fell for an impersonation of the company’s owner.

Beyond that, your firm should be very cautious about giving partners access to your firm’s data. If they need direct access, you need to limit what they can see to only what they need to see. The safest and easiest way to do that is to engage with a cloud provider that can evaluate your security capabilities and review your internal security policies with you. A cloud provider can help you structure your security setup so that you can control who sees which pieces of information. The key is to find a cloud provider with expertise in handling accounting and tax data.

3. A cyberattack could leave you financially vulnerable

The IRS is obviously a government entity with a massive budget, but one expert told Bloomberg News that even by IRS standards, lawsuit settlements could be costly, describing the legal fallout from the breach as potentially a “pretty significant matter.” If the IRS is facing real financial consequences as a result of a breach, imagine how quickly a lawsuit following a data breach could cripple your firm.

Keep in mind, too, that Booz Allen Hamilton is facing legal action as well. Although it’s highly unlikely that one of your employees would steal a client’s data, it’s still not a bad idea to enact the same policy for employees that you should for partners: Employees should only see the data of the clients they serve

No one is immune from a data breach

It’s easy to fall into the trap of thinking that your firm is immune from a cyberattack, or at least less likely to suffer one than an organization like the IRS. But what Littlejohn sought was sensitive data, the very same type of data you deal with for your clients. The point is not that the IRS was the target—it’s that the data was.

Managing sensitive financial data puts your firm squarely in the crosshairs of cyberattackers. You need a written information security plan, or WISP, in place so that you know exactly how you’re set up to prevent cyberattacks and how you would respond to a breach if one occurred. Your firm needs a WISP for regulatory reasons, anyway. A cloud provider can help you create one.

Overall, your best defense is to let experts handle cybersecurity for you, just like you complete tax returns for your clients. A cloud partner can advise you on cybersecurity policy as well as manage cybersecurity capabilities for you so the next Charles Littlejohn won’t be able to make a victim out of your firm or your clients.

Trust a cloud partner to protect your data. Get started today.

Subscribe to our blog

Get Rightworks articles delivered straight to your inbox.