Skip to content
When Cybercriminals Target Clients: The Hidden Extortion Risks for Accounting Firms

When Cybercriminals Target Clients: The Hidden Extortion Risks for Accounting Firms

Published: May 6, 2026
Data breaches make headlines when enterprises like Target or Salesforce are hit, because they’re often costly incidents that impact millions of customers at some of the world’s most recognizable brands. But that doesn’t mean smaller businesses — like your accounting firm — are immune.

With the average cost of a data breach reaching $4.4M and reputational damage eroding trust fast, you can’t afford to shrug data breaches off as a big corporate problem.

Cyberattacks are more than operational chaos — disrupted workflows, business grinding to a halt. The real damage often surfaces post-attack, extending beyond you and wreaking havoc on your clients.

In our webinar, SmartVault Chief Information Security Officer and former cybercrime investigator, Luke Kiely, and VP of Growth, Jonathan Young, broke down the realities of cyberattacks.

One reality? Cybercriminals steal your data to do more than sell it — they’re weaponizing it and using it to extort you and your clients.

They put your reputation on the line, right alongside your clients’ security.

The One-to-Many Threat Model

What makes accounting and tax firms so attractive to cyberattackers? Access to a wealth of sensitive business and client data.

When they get into your systems, cyberattackers get your data, but they also gain full access to your clients’:

  • Names
  • Addresses
  • Social Security numbers
  • Dates of birth
  • Sensitive financial details

And they weaponize all of this, typically in the form of extortion.

It’s like a one-to-many. If they can get into an accounting firm, fantastic. But if they can get the details of all the clients, they can start to weaponize the names, the addresses, Social Security numbers, date of birth, financial — all that. That becomes another attack vector.
– Luke Kiely, Chief Information Security Officer, SmartVault

Consider Vastaamo, a Finnish psychotherapy practice. In 2020, it experienced a data breach that impacted over 30,000 individuals. Cybercriminals breached the company database, giving them access to the company’s sensitive data and its clients’ private information, including:

  • Full names
  • Home addresses
  • Social Security numbers
  • Names of clinics offering treatment
  • Email addresses
  • Therapist and doctor notes from each session
  • Personal details from therapy sessions

They leveraged this access to extort Bitcoin from Vastaamo and its clients. The cybercriminals threatened to publish patients’ private therapy session notes unless individuals paid up themselves. Not everyone paid, and even years later, their private details are still accessible on the internet.

It’s less about the actual cyberattack,” Kiely explains. “It’s the aftermath. If [bad actors] can’t get the data that’s of value to them straight away, they can pivot and turn that into an extortion attempt.

Accounting firms aren’t exempt. Even if you’re not targeted directly, your client data is still valuable enough to make you and your clients targets for extortion.

Your clients trusted you with some of their most sensitive information — that trust makes your client list the prize, and every name on it a potential target.

Your Client Data’s Gone — Now What?

So, what actually happens once cybercriminals steal your client data? It’s not like the movies — they get in fast and move as quickly as possible to meet their objectives.

They’re very patient in the lead up to it,” Kiely explains. “But once they’re in, they don’t necessarily have that same level of patience. They want to achieve their objectives as quickly as possible.” And those objectives typically follow one of these paths:

  1. The first path is about immediately reselling the stolen credentials, from names and Social Security numbers to financial details. They often list the data on dark web marketplaces for as little as $2–$5 per person. And it adds up fast when cybercriminals have access to hundreds or thousands of clients.
  2. The second is all about direct weaponization. Cyberattackers use your client data to file fraudulent tax returns, take over financial accounts, or execute mandate fraud (redirecting bank transfers by impersonating a trusted contact).

Extortion doesn’t always require a ransomware attack — the leverage cybercriminals gain is often more devastating, namely, public exposure. The Vastaamo attackers didn’t need to lock down systems. They just needed sensitive enough information and a willingness to publish it.

Knowing if they release that information publicly, how many people are going to want to go back to an accountant who’s been known to have a data breach?
– Luke Kiely, Chief Information Security Officer, SmartVault

And because stolen data doesn’t expire, your clients could face fraud months or even years after the initial breach.

The exposure window is often wider than most firms realize. “It’s not just always a single event,” Kiely notes. “There are so many opportunities for a cybercriminal to commit extortion and fraud with all of the customers they’ve got access to.

By the time most firms realize something happened, the process is typically already complete.

The Real Harm Comes from the Aftermath

When you suffer a breach, your first instinct is likely to minimize it and label it as “sophisticated” to avoid embarrassment and reputational damage.

Researchers at Harvard’s Belfer Center explain why: Instead of acknowledging lapses in basic security practice, businesses are more likely to claim their adversaries were so capable that no reasonable amount of security would have kept them out.

Disclosure requirements mean you have to share the news — this creates a public relations nightmare that demands an explanation. Calling the attack sophisticated shifts blame from the organization to the cyberattackers, so you don’t have to admit failure.

The 2014 Xbox Live outage is the perfect example. It went dark on Christmas Day — one of the worst possible days for millions of customers who’d just unwrapped their consoles. The cybercriminals were a group of teenagers who purchased an online tool for less than $500.

As Kiely explains, Microsoft wanted to frame it as sophisticated “because they want to try and reduce the reputational damage of not being able to protect themselves or the customers. Embarrassment is a huge reason why people don’t want to air these things.

And the pattern hasn’t changed. A 2025 analysis of the year’s biggest breaches found that cloud misconfigurations, neglected fundamentals, and identity-driven intrusions — not elite hacking — accounted for most major incidents.

For example, McDonald’s exposed the personal data of 64 million global job applicants. How? A weak, years-old admin password. Cyberattackers aren’t breaking down reinforced doors — they’re walking through the ones left wide open.

The problem with the “sophisticated” framing is that silence and spin don’t protect a firm’s reputation. They delay accountability and erode client trust that’s nearly impossible to rebuild.

And the cascade that follows a breach happens regardless of how you characterize it: forensic investigation costs, technology remediation, insurance disputes (insurers frequently deny payouts when baseline controls weren’t in place), and civil litigation from affected clients.

That’s all on top of Federal Trade Commission Safeguards Rule fines of $46,000 per infraction.

Time and time again,” Kiely says, “the aftermath of a cyberattack is significantly more impactful than the actual attack itself.

Reputation Is a Security Issue

Ask yourself the same question Kiely poses in the webinar: “How many people are going to want to go back to an accountant who’s been known to have a data breach?” It’s a simple question, but the answer’s sobering.

Reputational damage seems less serious than financial consequences, but it’s actually more disruptive. Why? Because it’s a business continuity threat. For small-to-mid-sized firms where client relationships are everything, losing that trust can be what ends the business entirely.

Your reputation isn’t protected by damage control after the fact. A well-crafted statement, a PR strategy, a heartfelt apology — none of that rebuilds what a breach destroys. What actually protects you is transparency before something goes wrong, preparedness, and controls that are provable.

It’s the bare minimum as far as your clients are concerned. They expect consistent, demonstrable evidence that you take their security seriously. Vague assurances don’t cut it anymore.

You Owe Your Clients Security Beyond the Firewall

A breach is more than an IT or security problem. Cyberattacks are trust problems. The firms that understand this before something happens are those best positioned to protect both their clients and their reputation.

Think about when your clients handed you their tax returns, financial records, Social Security numbers — the kind of information people guard with their lives. The way you protect it is a direct reflection of how seriously you take that responsibility.

The good news? You don’t have to wait for a breach to get ahead of security and trust issues. Watch the full webinar to hear SmartVault CISO and former cybercrime investigator Luke Kiely go deeper on how client data gets exploited — and what you can do to get ahead of it.