First off, apologies for any stress or confusion. We have been contacted by numerous clients and currently, I have an auto-reply message in response. We will do our best to individually reply to each client today. Your security and peace of mind is important to us. The upside and bottom-line: There was no hack, no data breach, no data loss, or no unauthorized accessing of data. This issue was caused by our CRM, Canopy, doing a minor software upgrade, the implementation of which did not go as planned.
Below is a recap and timeline for your edification, as well as a copy of the email that Canopy sent out this morning to clients.
Last night, at 7:58 pm, I sent out a request to a client for information to prepare their 2017 1040 Amended return. This is a standard operating procedure for us to create the task inside of Canopy and send out the request. At 7:59, I received a request to my Gmail that I should not have received. At 8:01 I received an email from a client indicating they received the request for information for the same client, that was not them. At that point, I knew my night was going to be very interesting.
I want to be as candid as I can with you in recapping what happened and what steps we took to resolve the issues. We do have auto-reply email going out, but we know this is an anxiety provoking event for many of our clients and will do our best to individually respond to each email.
- Go Green Tax was not hacked. My Outlook email was not hacked. My computer was not hacked. My network was not hacked.
- The issue stems from an implementation of a minor software upgrade in Canopy, which caused an issue in their email database. No one was able to access information of another client by clicking the link in the request for additional information.
- We became aware of the issue last night at 7:59 PM, when I personally received an email to my Gmail account requesting information to complete the 2017 1040 Amended Return for a client that is not me.
- I promptly called my IT partner. Unplugged my computer in case it was an issue on my computer. My IT person was onsite in 20 minutes. We trouble shot the issue around my computer versus the CRM. We got a bit impatient on the “Test” requests, in sending three additional requests, which you were probably pinged for. In retrospect, I wish I would have just sent it from my profile, rather than partners/family names that you are not familiar with.
- We were attempting to individually reply to each person who emailed, but it was also getting overwhelming and set up an auto-response. We will attempt to follow with each individual email we received today to address your concerns.
- Canopy has indicated that the issue has been resolved. I received two emails from Canopy early this AM. I will update them to a blog post later today. They are both very general in nature and do not drill down to specifics. We were able to speak with them this AM and they told my IT partner that the issue was in a minor software upgrade on their end that had this lovely unintended consequence. Their fix was to roll back the upgrade. Peculiar enough, it did not affect all of their clients. Apparently, I’m in the lucky group. That besides the annoyance/alarm caused by receiving the emails requesting information for someone not named you, there was no data breach or hack. It was basically an email glitch.
Copy of Canopy Email that went out to affected clients this AM:
You may have received an unsolicited request for information from your tax or accounting professional between 8:00 pm MST and 12:00 am MST on 2/3/2021, if you received a message in that time frame you can disregard it as it was sent in error. We sincerely apologize for any inconvenience or confusion this may have caused.