Identity theft continues to be a concern this tax season with two tax preparation software companies reporting unusual activity involving their customers. Those companies, TaxSlayer and TaxAct, have not suspended filing and do not believe that there has been an official data breach.
Tax preparation software TaxSlayer has reported that accounts belonging to some of its customers have been illegally accessed. The company released a press release stating:
“As a result of ongoing security reviews, TaxSlayer identified a small percentage of its customers whose accounts may have been accessed by someone who obtained their username and password from another online service. TaxSlayer notified about 8,800 individuals, or less than one third of one percent of our database. The company is confident this incident did not result from a breach of our systems. Rather, individuals’ usernames and passwords were compromised from another source. Regardless of size or origin, this is being actively investigated, as heightened security is our number one priority.
TaxSlayer worked with the IRS and state revenue departments throughout 2015 on security initiatives to combat fraud and continues to do so.
TaxSlayer values its customers, who entrust our company with their information, and are committed to educating taxpayers about cyber security. We encourage our customers to take steps to protect their personal and financial information in all their business. To further serve our customers’ best interests, we have offered customers affected by this incident 12 months of free identity theft insurance through ID experts. We also recommend that taxpayers use strong passwords that are unique to their account with us.”
Daniel Eubanks, Director of Compliance at TaxSlayer, stressed that this was “not a vulnerability or breach” but rather an attempt to access the company’s database using credentials stolen from other sources. It’s not yet known where the criminals might have obtained the credentials. Eubanks did note that sometimes user names and passwords are recycled or used many times: you may use the same credentials at multiple places like banks, making it more likely that information can be stolen and used to improperly access your accounts.
A second tax preparation company, TaxAct, reported similar attempts to access its customer accounts earlier this year. According to a TaxAct spokesperson:
“In January, TaxAct suspended a small number of accounts – less than 0.25 percent (less than ¼ of 1 percent) – after identifying instances of suspicious activity. The attacker did not gain access to income tax returns for the vast majority of the suspended accounts. Of those accounts suspended, a very small number, less than 5 percent of the ¼ of 1 percent, involved returns being accessed. This equates to less than 500 accounts.
As a result of our existing processes, we identified the issue early and prevented any further data from being compromised. As you can appreciate, specific detail around how we detected this activity is highly confidential and could provide valuable insight for the perpetrators who are behind these actions.
We then partnered with a leading forensic specialist firm, to further investigate. We have concluded that this incident was not the result of a security breach of TaxAct systems. Rather, we believe usernames and passwords for a small number of account holders were obtained from sources outside of our own systems.
TaxAct has industry-standard security protocols in place and is taking additional measures to further protect our data from external threats. The company continues to proactively identify the best and most secure technology to safeguard our customers’ information.
We would like to use this as an opportunity to remind all tax filers of the importance of protecting their own personal information at all times. For starters, don’t use the same username and password for multiple online accounts. This can’t be stressed enough when it comes to tax or finance-related online accounts.”
TaxAct also offered the following tips for protecting your data:
Don’t use your email address or a portion of it as your username. For example, if your email address is email@example.com, you shouldn’t use ‘jdoe’ as a username for any of your online accounts.
Change all passwords frequently.
Limit what you share on social media.
Use anti-virus software and protect your computer by installing a firewall.
If all of this sounds very deja vu, you’re not wrong. It’s very similar to what Intuit INTU -5.15% and Internal Revenue Service (IRS) alleged last year. In 2015, TurboTax temporarily halted transmission of state e-filing tax returns, effective for all states, after it noticed an uptick in fraudulent data. Intuit believes that the stolen data was obtained from sources outside of their own systems.
Source: Forbes.com (http://www.forbes.com/sites/kellyphillipserb/2016/02/05/identity-theft-a-concern-as-two-tax-preparation-software-companies-announce-unusual-activity/#39194d922adb)