Kerkering, Barberio & Co., Certified Public Accountants Data Breach Analysis
Analysis of the Kerkering, Barberio & Co., Certified Public Accountants data breach disclosed 2026-03-13
Florida CPA Firm Kerkering Barberio Discloses Email Breach Affecting 4,179 Clients
A Sarasota-based accounting firm has disclosed a data breach stemming from unauthorized access to employee email accounts, exposing Social Security numbers and other sensitive information belonging to more than 4,000 individuals. The incident highlights the persistent vulnerability of professional services firms that handle vast quantities of client financial data.
Kerkering, Barberio & Co., Certified Public Accountants disclosed the breach to the Maine Attorney General on March 13, 2026, nearly ten months after first discovering the intrusion. The firm, which provides tax, audit, and advisory services to businesses and individuals across Florida, confirmed that an unauthorized actor gained access to four corporate email accounts containing client personal information.
Timeline: A Ten-Month Journey to Notification
The breach timeline reveals the extended process many organizations face when investigating and remediating email-based intrusions:
May 27, 2025: Kerkering Barberio discovers unauthorized access to four employee email accounts. The firm immediately isolates the affected accounts and engages a third-party cybersecurity firm to conduct forensic investigation.
May-December 2025: Forensic investigators determine that files within the compromised email accounts were accessed and potentially exfiltrated by the threat actor. The firm engages a data mining vendor to conduct a comprehensive review of affected data.
March 6, 2026: The firm finalizes its list of affected individuals after completing the data mining review.
March 13, 2026: Notification letters are mailed to 4,179 affected individuals, and the breach is reported to state attorneys general.
The nearly ten-month gap between discovery and notification, while lengthy, falls within the range commonly seen in email compromise incidents. The labor-intensive process of reviewing email contents to identify affected individuals—often requiring manual review of thousands of messages and attachments—accounts for much of this delay.
Exposed Data: The Crown Jewels of Identity Theft
The breach exposed a particularly dangerous combination of personal information:
- Full names
- Physical addresses
- Email addresses
- Social Security numbers
For a CPA firm, this data exposure is especially concerning. Accounting firms routinely handle tax returns, financial statements, and other documents containing the precise information identity thieves need to file fraudulent tax returns, open credit accounts, or perpetrate other financial crimes.
The presence of Social Security numbers in email accounts underscores a persistent security challenge in the accounting industry: sensitive client data frequently transits through email systems that may lack adequate protection, despite the existence of more secure file-sharing alternatives.
Attack Vector: Business Email Compromise Strikes Again
While Kerkering Barberio's disclosure describes the incident as unauthorized access to email accounts, the attack pattern suggests a business email compromise (BEC) or credential-based intrusion. The firm has not disclosed how attackers gained initial access, but common vectors for this type of breach include:
Credential phishing: Attackers send convincing emails that direct recipients to fake login pages, harvesting usernames and passwords.
Password spraying: Automated attacks test common passwords against multiple accounts, exploiting weak or reused credentials.
Token theft: Sophisticated attackers steal authentication tokens that bypass multi-factor authentication protections.
The fact that four separate email accounts were compromised suggests either a coordinated attack targeting multiple employees or lateral movement after an initial compromise—possibly through shared credentials or administrative access.
The notification letter indicates that "some KB files were obtained by an unauthorized actor," confirming data exfiltration rather than mere access. This distinction matters: attackers who extract data may monetize it through sale on dark web marketplaces, use it for targeted fraud, or leverage it for extortion.
Why Accounting Firms Remain Prime Targets
The Kerkering Barberio breach exemplifies why professional services firms—particularly those handling financial data—face elevated cyber risk:
Data density: A single CPA firm may hold sensitive information for thousands of clients, making them high-value targets relative to the effort required for compromise.
Seasonal data flows: Tax season creates surges in sensitive data transmission, often via email, expanding the attack surface during predictable windows.
Client diversity: Accounting firms serve clients across multiple industries, providing attackers with diverse data that can be monetized in various ways.
Trust relationships: Compromised accounting firm email accounts can be weaponized for secondary attacks against clients, who may not question communications from their trusted financial advisors.
Resource constraints: Many small and mid-sized firms lack dedicated IT security staff, relying instead on general IT providers who may not specialize in threat detection and response.
Regulatory and Compliance Implications
CPA firms operate under multiple regulatory frameworks that impose data protection obligations:
AICPA Professional Standards: The American Institute of CPAs requires members to maintain confidentiality and implement reasonable safeguards for client information.
State Board of Accountancy Rules: Florida and other states impose professional conduct requirements that include data protection obligations.
Gramm-Leach-Bliley Act (GLBA): Firms providing financial services may be subject to GLBA's Safeguards Rule, which requires written information security programs.
FTC Safeguards Rule: Recent updates to this rule, effective in 2023, impose specific technical requirements including encryption, access controls, and multi-factor authentication for entities handling consumer financial information.
The breach may trigger scrutiny from the Florida Board of Accountancy regarding whether the firm maintained adequate safeguards. Additionally, affected clients who suffer identity theft may pursue civil claims, though the firm's prompt offer of credit monitoring services may help mitigate such risks.
Lessons for Financial Services Firms
The Kerkering Barberio incident offers several takeaways for accounting firms and other financial services organizations:
Email remains the weakest link: Despite years of security awareness training and technical controls, email compromise continues to be a primary attack vector. Organizations should evaluate whether sensitive data needs to transit through email at all, or whether secure client portals offer a safer alternative.
Multi-factor authentication is necessary but not sufficient: While MFA significantly reduces account takeover risk, sophisticated attackers have developed techniques to bypass these protections. Phishing-resistant MFA methods, such as hardware security keys, provide stronger protection.
Detection capabilities matter: The notification does not indicate how the firm discovered the compromise. Organizations should implement monitoring that can detect anomalous email access patterns, including logins from unusual locations or devices.
Data minimization reduces blast radius: If email accounts contained only transient communications rather than stored sensitive documents, the breach impact would have been substantially reduced. Retention policies that automatically purge old messages limit exposure in the event of compromise.
Incident response planning accelerates notification: The ten-month timeline, while not unusual, could potentially be compressed with pre-established relationships with forensic investigators and data mining vendors, along with documented procedures for breach response.
Looking Ahead
Kerkering Barberio reports no evidence of fraud or identity theft resulting from the breach as of the disclosure date. The firm is offering affected individuals 12 months of credit monitoring and identity theft restoration services through Cyberscout, a TransUnion subsidiary.
For the 4,179 individuals affected, the standard precautions apply: monitor credit reports, consider placing fraud alerts or credit freezes, and remain vigilant for phishing attempts that may leverage the exposed information.
The broader accounting industry should view this incident as a reminder that cybersecurity is not merely an IT concern but a core professional responsibility. As tax season approaches, firms handling sensitive client data would be well-served to audit their email security controls before threat actors audit them first.