PwC security questioned as its head of risk fooled by fake email
Big four accounting firm PwC has launched an investigation after a fake email duped the company’s head of risk and ethics into disclosing the hiring of the firm’s new general counsel, Kylie Gray.
Editor’s note: This story originally appeared on Lawyers Weekly’s sister brand, Cyber Daily.
To continue reading the rest of this article, please log in.
Create free account to get unlimited news articles and more!
Risk and ethics chief Jan McCahey received an email that claimed to be from PwC’s new general counsel, Kylie Gray, to which Ms McCahey responded with details of Ms Gray’s appointment. At the time of the emails, Ms Gray’s appointment as PwC’s general counsel had not yet been announced.
Ms Gray’s appointment was ultimately reported in late November following the firm’s partners being notified. She comes across from Westpac, where she has served as general counsel of litigation, regulatory investigations, and financial crime.
The fake email, which was seen by The Australian, asked Ms McCahey for details regarding Ms Gray’s “remuneration and bonus arrangements” and asked if this would be revealed to other partners considering PwC’s “current circumstances”.
Ms McCahey confirmed that Ms Gray’s pay and bonuses would not be revealed to partners, which current and former partners said is not the norm at the firm, with one telling The Australian that PwC had an internal database with the pay of all partners, bar the chief executive.
The head of risk and ethics was also asked when Ms Gray’s appointment would be announced.
The incident has sparked questions as to why a major organisation’s risk and ethics chief was unable to determine that the email was a fake, particularly seeing as it was not from an internal company address but from a Proton mail account.
Ms McCahey was only appointed as PwC Australia’s chief risk and ethics leader in July, but she has been with the company since 2001.
The official announcement of Ms Gray’s appointment came on Monday (27 November). Gray will replace acting general counsel Karen Evans-Cullen, who took up the role in July following long-time general counsel Meredith Beattie retiring.
Ironically, prior to the latest incident, PwC has urged that it has adopted a much more conservative and cautious approach to risk management following the tax scandal that wreaked havoc on the company’s reputation.
The firm has also been caught up in cyber security trouble this year, after the Clop ransomware group leaked some of the firm’s data on both the clear and dark web as part of the MOVEit breach.
“We are aware that MOVEit, a third-party transfer platform, has experienced a cyber security incident [that] has impacted hundreds of organisations, including PwC. PwC uses the software with a limited number of client engagements,” a statement from the company read at the time.
“As soon as we learned of this incident, we stopped using the platform and started our own investigation.”