Solari Accountancy, Inc. Data Breach Analysis

Tax Software Breach at Solari Accountancy Exposes Client Data During Filing Season

A California accounting firm disclosed on April 13, 2026 that an unauthorized individual gained access to its tax software environment, potentially exposing personal information for an undetermined number of clients. Solari Accountancy, Inc., a two-partner CPA practice based in Lodi, California, discovered the intrusion on April 8, 2026—squarely in the middle of the spring tax filing deadline crunch.

The breach represents a growing threat pattern targeting smaller financial services firms that handle sensitive tax and financial data but often lack the security resources of larger institutions. For financial institutions that rely on external accounting firms, tax preparers, or payroll processors, this incident underscores the persistent third-party risk that continues to plague the sector.

Timeline: Five-Day Notification Window

The timeline disclosed in the notification letter is notably compact:

• April 8, 2026: Solari Accountancy discovered unauthorized access to its tax software system
• April 13, 2026: Notification letters dated and presumably mailed to affected clients
• Date of initial intrusion: Unknown (the letter does not specify when the breach actually occurred)

The five-day window between discovery and notification is commendably fast by industry standards. California's breach notification statute (Cal. Civ. Code § 1798.82) requires disclosure "in the most expedient time possible and without unreasonable delay," which courts have generally interpreted as 30-45 days. Solari's rapid response suggests the firm moved quickly once the incident was identified.

However, the notification letter conspicuously omits any information about when the unauthorized access actually began. The phrase "on or about April 8, 2026" describes the discovery date, not the intrusion date. This gap is significant—if the attacker had access for weeks or months before detection, the scope of potential data exposure could be substantially larger than a brief intrusion.

What Data Was Exposed

The notification letter attempts to soften the impact by stating that "your tax return was not directly affected," while simultaneously acknowledging the firm "cannot guarantee that your personal information was not exposed during the breach." This language creates an uncomfortable ambiguity for clients trying to assess their actual risk.

For clients of a CPA firm, the potential exposure universe is extensive:

• Personal identifiers: Names, addresses, phone numbers, email addresses
• Tax identification numbers: Social Security numbers, Employer Identification Numbers
• Financial account data: Bank account numbers, routing numbers (from direct deposit refund instructions)
• Income information: W-2 data, 1099 forms, business revenue figures
• Dependent information: SSNs and birthdates for spouses and children
• Prior year tax data: Historical returns often stored in tax software

The firm's recommendation that clients "contact your financial institution to verify your current bank account information" implicitly acknowledges that banking credentials may have been accessible through the tax software system. Tax preparers routinely store bank account details for direct deposit refunds and electronic payment authorizations.

Attack Vector: Tax Software as Entry Point

The notification specifically identifies the "tax software environment" as the compromised system. While the letter does not name the specific software platform, professional tax preparation software—whether cloud-based solutions like Drake, Lacerte, ProSeries, or UltraTax—represents an increasingly attractive target for threat actors.

Tax software systems aggregate exactly the data criminals need for identity theft and tax refund fraud: SSNs, prior-year adjusted gross income figures, bank account numbers, and enough personal details to answer IRS identity verification questions. Compromising a single tax preparer's software instance can yield hundreds or thousands of complete identity profiles.

Common attack vectors against tax preparer environments include:

1. Credential theft: Phishing attacks targeting tax professionals, especially during busy season when staff are overwhelmed
2. Remote access exploitation: VPN or RDP vulnerabilities in remote work configurations
3. Software supply chain: Compromise of the tax software vendor itself or its update mechanisms
4. Insider access: Unauthorized access by current or former employees
5. Social engineering: Phone-based attacks impersonating software vendors or IRS agents

The firm's statement that it "immediately secured the affected environment" suggests the intrusion point was identifiable and containable—potentially indicating a credential compromise or specific system vulnerability rather than a broader network intrusion.

Regulatory and Compliance Implications

GLBA Safeguards Rule

Tax preparers and accountants handling consumer financial information are "financial institutions" under the Gramm-Leach-Bliley Act's broad definition. The FTC's updated Safeguards Rule (16 CFR Part 314), which took full effect in June 2023, imposes specific cybersecurity requirements on these firms including:

• Designation of a qualified individual to oversee information security
• Written risk assessment identifying reasonably foreseeable risks
• Access controls limiting who can access customer information
• Encryption of customer information in transit and at rest
• Multi-factor authentication for accessing customer information systems
• Continuous monitoring or annual penetration testing
• Incident response planning

A breach of this nature would likely trigger FTC scrutiny regarding whether Solari maintained compliant safeguards. The updated rule specifically requires firms to "design and implement safeguards to control the risks you identify through risk assessment," with tax software security being an obvious risk category.

IRS and State Tax Agency Requirements

Solari's notification indicates the firm reported the incident to the IRS Stakeholder Liaison and the California Franchise Tax Board Fraud Division. This reflects compliance with IRS Publication 4557 guidance for tax professionals, which requires reporting data breaches to the appropriate IRS stakeholder liaison within the practitioner's state.

The IRS maintains a Data Theft Information for Tax Professionals page and works with affected preparers to flag compromised taxpayer accounts for potential fraudulent returns. This is critical during filing season when criminals race to file fraudulent returns before legitimate taxpayers.

California's Franchise Tax Board similarly monitors for indicators of preparer compromises that could enable state refund fraud.

State Breach Notification

California's breach notification law covers this incident given Solari's California location and likely California-resident client base. The statute requires notification when unencrypted personal information (name plus SSN, financial account number, or other specified data elements) is acquired by an unauthorized person.

Notably, California law includes a "risk of harm" threshold—notification is required when there is a reasonable belief that unencrypted data was acquired. Solari's acknowledgment that it "cannot guarantee" data was not exposed meets this threshold.

The Bigger Picture: Small Firm Vulnerabilities

This incident fits a troubling pattern of threat actors targeting smaller financial services firms—tax preparers, independent insurance agencies, small wealth advisors—that handle highly sensitive data but operate with limited security budgets and staff.

Similar patterns have emerged across the financial services supply chain. The 700Credit breach demonstrated how a specialized financial services vendor can expose sensitive data across multiple downstream clients. The Ashton Thomas Private Wealth breach showed how email system compromises at smaller wealth management firms can expose client financial data.

The IRS has repeatedly warned of increasing cyberattacks targeting tax professionals. The agency's Security Summit—a partnership between the IRS, state tax agencies, and the tax industry—has issued multiple alerts about phishing campaigns, remote access trojans, and credential theft schemes targeting preparers.

For financial institutions, these smaller service providers represent persistent third-party risk. Banks and credit unions often work with external CPAs for business customers, accept tax documents from preparer firms, or integrate with accounting software for commercial clients. A breach at any of these touchpoints can expose bank customers even when the bank's own systems remain secure.

Action Items for Financial Institutions

Financial institutions should treat this incident as a prompt to review their own third-party risk posture and tax season security practices:

1. Audit tax preparer relationships: Identify any external CPA firms, enrolled agents, or tax preparers with access to institutional systems or customer data. Verify these firms maintain written information security programs compliant with GLBA Safeguards requirements before renewing engagements.

2. Review tax document handling: Assess how your institution receives, processes, and stores tax documents from customers and third parties. Ensure transmitted documents are encrypted and access is limited to staff with business need.

3. Enhance fraud monitoring during tax season: Increase scrutiny of account changes, new direct deposit instructions, and wire requests during peak filing periods (January through April and extension season in October). Criminals exploiting stolen tax data often move quickly to monetize before victims notice.

4. Validate vendor security practices: For any software or service providers handling tax-related data (payroll processors, benefits administrators, document management systems), confirm they maintain current penetration testing, access controls, and incident response capabilities.

5. Prepare for customer inquiries: If your institution has business relationships with affected firms or serves customers who may use external tax preparers, prepare customer-facing staff to address questions about protective measures. Consider proactive communications about fraud monitoring and identity protection resources.

Looking Forward

The Solari Accountancy breach is unlikely to generate significant regulatory enforcement or media attention given the firm's small footprint. But for security leaders at financial institutions, it serves as a useful reminder that the financial services ecosystem extends far beyond regulated banks and credit unions.

Every CPA firm, payroll processor, benefits administrator, and financial software vendor with access to customer data represents potential exposure. The GLBA Safeguards Rule updates were designed to address exactly this risk by imposing consistent security requirements across the financial services supply chain.

Whether those requirements are being meaningfully enforced—and whether smaller firms have the resources to comply—remains an open question. Until the enforcement landscape catches up with the regulatory framework, incidents like this will continue to demonstrate the gap between security requirements on paper and security practices in the field.