Tax Advisor Hacked: 12,000 Client Records Stolen Through Compromised Email Account
A tax advisor loses control of his email account to a phishing attack. 12,000 client data records are siphoned off — the financial devastation is staggering.
Phishing
€1.6M
€420K GDPR Fine
The Incident
On Monday, March 3, 2025, at 8:17 AM, tax advisor Juergen Wiesner attempted to log into his email account. The password didn't work. He typed it again. Nothing. A third attempt. "Incorrect password."
Juergen Wiesner, 54 years old, owner of the tax advisory firm Wiesner & Schreiber in Augsburg, Germany, assumed it was a technical glitch. He called his IT service provider. The technician checked the system and went pale. The password had been changed 38 hours earlier — Saturday evening at 10:41 PM. And it was not Juergen Wiesner who had changed it.
The reconstruction of the attack revealed a terrifying picture. On Friday, February 28, at 2:23 PM, Wiesner had received an email from what appeared to be his professional association's billing system. Subject line: "Important: Update Your DATEV Access Credentials — Deadline March 1." The email was professionally designed, featuring the official DATEV logo, a convincing sender address (which was actually a cleverly spoofed domain: datev-security.de instead of datev.de), and a link to a nearly perfect replica of the login page.
Wiesner entered his email address and password. He used the same password for his DATEV account and his business email account. No multi-factor authentication. No password manager. One password for everything.
What happened between Friday at 2:23 PM and Monday at 8:17 AM was a systematic plundering. The attackers had 58 hours of undisturbed access to an email account containing eight years of client correspondence.
In that inbox lay: 12,347 emails with attachments. Tax returns, annual financial statements, payroll records, ID copies, powers of attorney, bank details, credit reports. The complete financial life story of 1,843 clients — individuals, freelancers, and mid-sized businesses.
The attackers forwarded the entire correspondence to an external address. Then they changed the password, set up automatic forwarding for all incoming emails, and vanished.
The Escalation
Monday, March 3, noon: The IT service provider discovered the forwarding rule and deactivated it. But the damage was already done. The complete email history had been copied. The provider recommended immediately engaging an incident response specialist.
Monday, March 3, evening: The external forensics firm confirmed: all emails with attachments had been exfiltrated. 12,347 emails, totaling 34 gigabytes of data. The attackers had also used Wiesner's DATEV credentials to access additional client data. The scope grew with every hour of analysis.
Tuesday, March 4: Report filed with the data protection authority under Art. 33 GDPR. Wiesner faced the task of informing 1,843 clients about the data breach. For a tax advisor — whose entire business model rests on absolute trust — this was the worst imaginable step.
Week 2: The first clients reported suspicious activity. Three clients received phone calls from alleged tax authority employees who had detailed knowledge of their tax situations — a classic spear-phishing attack using the stolen data. One client wired €24,000 to a fraudulent account before the scam was discovered.
Week 3: Eight clients filed criminal complaints. Not only against the unknown attackers, but also against the firm Wiesner & Schreiber. The accusation: negligent handling of confidential client data.
Month 2: The attackers used the stolen ID copies and tax identification numbers for identity theft. At least 23 clients fell victim: fraudulent credit applications, bogus bank account openings, fabricated tax refund claims filed with the tax authority. The total damage from identity theft exceeded €340,000.
Month 4: The data protection authority concluded its investigation and imposed a fine of €420,000.
The Damage in Detail
Financial Breakdown
| Cost Item | Amount |
|---|---|
| GDPR Fine | €420,000 |
| Client Compensation (Settlements) | €480,000 |
| IT Forensics and Incident Response | €95,000 |
| External Legal Counsel | €140,000 |
| Notification of Affected Individuals | €35,000 |
| New IT Security Infrastructure | €120,000 |
| Identity Theft Consequential Damages (pro rata) | €180,000 |
| Revenue Decline from Client Attrition | €130,000 |
| Total Damage | €1,600,000 |
Reputation Damage
Of the 1,843 clients, 412 switched to a different firm within one year — a client loss rate of 22%. The firm's revenue fell from €1.1 million to €780,000. The local Augsburg newspaper reported on the case multiple times, and online review platforms filled with negative entries. One client wrote: "My entire financial history is now in criminal hands because my tax advisor used the same password for everything."
Legal Consequences
The €420,000 fine was based on:
- Art. 32 GDPR (Security of Processing): No multi-factor authentication, identical passwords across different systems, no email encryption for sensitive attachments. €250,000.
- Art. 5(1)(f) GDPR (Integrity and Confidentiality): Protection of client data was inadequate. €120,000.
- Art. 25 GDPR (Data Protection by Design): Sensitive client documents were routinely received as unencrypted email attachments and archived in the email system. €50,000.
The tax advisors' professional chamber initiated disciplinary proceedings. Wiesner received a formal reprimand and was ordered to implement a certified IT security concept within six months.
Business Impact
Wiesner's partner, tax advisor Kathrin Schreiber, left the firm. She started her own practice and took 180 clients with her. Wiesner had to take out a €500,000 loan to cover the costs. At 54 years old, he faced a mountain of debt that threatened his retirement savings.
What Went Wrong
1. One password for everything: Juergen Wiesner used the same password for his email account, DATEV, his online banking, and several other services. A single compromised password opened every door.
2. No multi-factor authentication: MFA would have stopped the attack immediately. Even with the correct password, the attackers would not have gained access without the second factor. MFA is free and can be set up in minutes.
3. Email as a document archive: The core problem was not just the hacked account, but the fact that eight years of client correspondence with all sensitive attachments sat in the email inbox. Email is not a secure document management system. Every email containing a tax assessment, every pay stub in an attachment, increased the potential damage scope.
4. No secure document intake: Clients sent documents via email because there was no other channel. A secure upload portal would have prevented sensitive documents from ever being transported via email in the first place. Documents would have landed encrypted on a separate, secured system — not in the email inbox.
5. Missing phishing awareness: Wiesner did not recognize the phishing email. The domain "datev-security.de" differed from "datev.de" — but in the rush of a Friday afternoon, it went unnoticed. Regular security awareness training would have raised red flags.
Lessons Learned
Separate document intake from email. When clients submit sensitive files through secure upload links instead of email, the email inbox no longer becomes a high-security vault that surrenders everything in a hack. Documents land encrypted in a separate system with an audit trail and access controls.
Multi-factor authentication is mandatory. For every service that handles personal data, MFA must be activated. This is not a recommendation — it is an obligation under Art. 32 GDPR when the risk is high. With tax advisor data, the risk is always high.
Passwords must never be reused. A password manager generates and stores unique, strong passwords for every service. Free options exist. There is no excuse.
Regularly purge email archives. Old emails with sensitive attachments that no longer serve an active purpose must be deleted. The less data sitting in an email inbox, the less damage a hack can do.
Protect your client data from the next phishing attack. Try SendMeSafe free for 14 days — clients submit documents through encrypted upload links, not email. No credit card required.
Frequently Asked Questions
How often are tax advisors targeted by phishing?
Tax advisors are among the most frequently attacked professional groups because they have access to highly sensitive financial data. The German Federal Chamber of Tax Advisors reports that cyberattacks on advisory firms increased by 67% between 2023 and 2025. Attackers are becoming increasingly sophisticated: AI-generated phishing emails are now nearly indistinguishable from legitimate messages.
Am I personally liable as a tax advisor for a data privacy incident?
As the owner of a sole practice, you bear full liability. For partnerships and incorporated entities, managing director liability can apply if it can be demonstrated that adequate security measures were negligently omitted. Furthermore, affected clients can claim damages under Art. 82 GDPR — for both material damages (e.g., from identity theft) and immaterial damages (e.g., anxiety and loss of control over personal data).
How can I secure client document intake?
The most effective step is implementing secure upload links. Instead of asking clients to email documents, you create individual upload links — with password protection, expiration dates, and optional file size limits. Clients open the link in their browser, upload their files, and the documents land encrypted in your SendMeSafe account. No email transport, no phishing risk, complete audit trail.
What should I do if I suspect I've fallen for a phishing email?
Act immediately: Change the password of the affected account right away. Enable multi-factor authentication. Check whether email forwarding rules have been set up. Notify your IT service provider and have the account forensically examined. If personal data may have been affected, you must notify the relevant data protection authority within 72 hours (Art. 33 GDPR).