Consumer Fraud

TaxAct confirms data breach; more than 9,000 customer accounts suspended

data breach TaxAct confirms data breach; more than 9,000 customer accounts suspendedWith tax season ramping up, many Americans are using various means of filing, whether it be with a tax specialist or tax preparation software. TaxAct, one of the many tax preparation software developers, announced this week that it suffered a data breach sometime between Nov. 10 and Dec. 4, 2015, leading to the suspension of more than 9,000 customer accounts.

While the data breach occurred at an inconvenient time for people, TaxAct did confirm that the incident only affected a small percentage of its customer base.

“TaxAct recently suspended a small number of accounts—less than 0.25 percent (less than ¼ of 1 percent)—after identifying instances of suspicious activity,” a TaxAct spokesperson told Accounting Today. “The attacker did not gain access to income tax returns for the vast majority of the suspended accounts. Of those accounts suspended, a very small number, less than 5 percent of the ¼ of 1 percent, involved returns being accessed.”

According to the Wall Street Journal, out of the nearly 9,000 suspended accounts, approximately 450 customers were actually compromised by hackers. However, those customers are now faced with the dilemma that their names, Social Security numbers and tax returns are likely in the possession of cybercriminals. TaxAct has since mailed those affected by the cyberattack regarding what happened.

TaxAct did confirm that the company was able to fend off hackers and limit the damage to its servers.

“As a result of TaxAct’s existing processes, the team identified the issue early and prevented any further data from being compromised,” a TaxAct spokesperson told Accounting Today. “TaxAct then partnered with a leading forensic specialist firm to further investigate. This led to the conclusion that the incident was not the result of a security breach of TaxAct systems. Rather, the team believes usernames and passwords for a small number of account holders were obtained from sources outside of TaxAct’s own systems.”

In order to spur better cybersecurity trends in 2016, the IRS has been discussing how to protect client data with numerous tax software vendors, state tax authorities and major tax preparation chains. Some new procedures have been added to the list of tax return authentication methods to deter fraudulent activity in customer accounts. Some of the methods include more stringent password requirements, new security questions and even a new timed lockout feature that will limit unsuccessful login attempts.

“TaxAct has industry-standard security protocols in place and is taking additional measures to further protect its data from external threats,” the company spokesperson stated to Accounting Today. “TaxAct continues to proactively identify the best and most secure technology to safeguard its customers’ information.”

Accounting Today
Wall Street Journal