PwC Data Exposure Incident: What Professional Services Firms Can Learn
PricewaterhouseCoopers, one of the world's largest professional services firms, has been subject to data exposure incidents that illustrate the security challenges facing all firms in the sector. Reported incidents have included misconfigured cloud storage, accidental disclosure of client data, and exposure of internal documents. For the Big Four, the reputational stakes of any client data incident are enormous — and the security lessons apply equally to firms of any size.
Professional services firms face an average of 4.3 significant security incidents per year — Ponemon Institute.
Common Causes of Data Exposure in Large Professional Services Firms
Data exposure incidents in large professional services organisations typically involve:
- Cloud misconfiguration — publicly accessible storage buckets, SharePoint sites with overly permissive external sharing, or misconfigured collaboration portals
- Third-party access — vendor or sub-contractor access to systems beyond what their role required
- Email misdirection — sensitive client documents sent to incorrect recipients, a persistent risk in high-volume email environments
- Legacy systems — old project portals, client extranets, or document management systems not properly decommissioned
- Insufficient access controls — client data accessible by staff not working on the relevant engagement
Lessons for Professional Services Firms
The data exposure incidents affecting large professional services firms consistently point to the same underlying failures: insufficient cloud security governance; overly permissive access controls on client data; inadequate monitoring of external-facing systems; and lack of a regular security review of legacy platforms and portals. For firms of any size, the lesson is that security cannot be treated as a one-time implementation — it requires continuous monitoring, regular configuration reviews, and a culture where staff understand that client data protection is a professional obligation.
Frequently Asked Questions
What should a professional services firm do immediately after discovering a data exposure?
Immediately contain the exposure — revoke the overpermissive access, close the misconfigured port, or suspend the compromised account. Assess scope — what data was exposed, to whom, and for how long. Notify your legal advisers and cyber insurer. If personal data was involved, assess the ICO notification obligation (72-hour threshold). Notify affected clients promptly and honestly. Conduct a root cause analysis and implement controls to prevent recurrence.
Get an external attack surface assessment
Kyanite Blue specialises in cybersecurity for iGaming operators. MGA-licensed operators across Malta trust our stack.
Get in touchReady to secure your iGaming operation?
MGA-licensed operators across Malta trust Kyanite Blue.