Vantage Accounting is a small boutique accounting firm based in Tampa, Florida. The firm consists of 2 Partners, 13 Certified Public Accountants, and 9 Office Staff, for a total of 24 employees. Vantage Accounting has an average annual revenue of $5.1 million and an average net profit of $1.8 million. Most of their business is based on both corporate and individual tax preparation. Niche IT is a medium-sized Managed Service Provider based in Tampa, Florida. Niche focuses on Systems Support, Network Support, Cybersecurity, Risk Assessments, and Penetration Testing. Additional services include CIO Services, Cloud Migrations, and Data Archive. The organization employs over 90 people including Solution Architects, Systems Engineers, Network Engineers, Support Analysts, Help Desk Support, Project Managers, and Office Support. Niche IT has an average annual revenue of $13.6 million and an average net profit of $6.4 million. Most of their business is based on long term service contracts. Due to the size of the organization, Vantage Accounting has contracted the services of a local Managed Services Provider for their IT support. In early 2015, Vantage Accounting engaged Niche IT for the initial architecture, setup, and installation of the company's IT Infrastructure. The installation included the following components: Network infrastructure including cabling, switches, routers, firewalls, and wi-fi access points Server infrastructure including server hardware, Microsoft Active Directory Domain Services, Microsoft Exchange, print services, and server-based account applications Desktop infrastructure Communications infrastructure Documentation and training for Vantage Accounting's staff After the completion of the IT Infrastructure installation, Vantage Accounting and Niche IT entered into a Managed Services Agreement. The agreement detailed the services provided by Niche IT including system upgrades, system updates, technical support, and standard system maintenance. Additionally, the contract specified details on planned and unplanned maintenance work: Defined work that could be performed during business hours Defined work that could be performed during non-business hours Detailed work that could be performed onsite Detailed work that could be performed remotely Defined required approvals for any work that could cause downtime In early May 2020, Niche IT notified Vantage Accounting that they would be performing routine system maintenance, including system updates. The maintenance was to be conducted the last weekend in May during an agreed upon maintenance window, and Niche IT informed Vantage Accounting that some critical systems, including security systems, would be offline during this time. Initially, the scheduled maintenance was approved by Vantage Accounting staff as this date was past the normal tax deadline and staff should be returning to normal working hours. As a result of this approval, Niche IT scheduled a team of engineers to perform the system maintenance onsite at the Vantage Accounting offices. As the maintenance weekend approached, Vantage Accounting informed Niche IT that they had taken on a large new client that required weekend work from a team of CPAs. These CPAs and staff were to be in the office during the scheduled maintenance. Vantage Accounting requested that the maintenance either be postponed and performed remotely by the Niche IT engineers. Niche IT scheduled the engineers to perform the maintenance remotely and assured Vantage Accounting that they would only work on systems that did not influence production workloads. During the weekend system maintenance, four engineers from Niche IT connected to the Vantage Accounting network via a Virtual Private Network. The engineers connected to each switch, router, firewall, access point, server, print system, and communications systems. All device logs were reviewed, and updates were applied to non-critical systems. When a system required a reboot, the working staff was notified of any possible interruptions. One of Niche IT's engineers was using a personal laptop to perform the maintenance because his laptop was being repaired by the manufacturer. As luck would have it one of Vantage's accountants was also using a personal laptop due to maintenance issues with his work laptop. Apparently neither the engineer nor the accountant had the appropriate endpoint protection installed on their systems. As a result, a threat actor took advantage of the situation using a "man in the middle" attack while both laptops were connected to the Vantage Accounting network. The threat actor was able to key log usernames, passwords, and IP addresses associated with the engineer's system as well as each system that the engineer accessed on the Vantage Accounting network. As a result of this breach, Vantage Accounting had client files with confidential data stolen. Several systems were infected with a virus that was able to corrupt the drives and render the computers unusable. Niche IT was able to restore the firm's systems from backups, but any data or work done since couldn't be recovered