The tax preparation solutions provider TaxAct recently began notifying an undisclosed number of customers that their personal information may have been inappropriately accessed.
“We have concluded that an unauthorized third party accessed your TaxAct account between November 10 and December 4, 2015,” the company stated in a letter [PDF] sent on January 11, 2016 to those affected. “We have no evidence that any TaxAct system has been compromised and believe the third party used username and password combinations obtained from sources outside of our system.”
“In addition to your username and password, we have reviewed our website logs for account activity after this attempted access, and found that the tax return(s) stored in your account may have been opened or printed,” the company added. “These documents may contain your name and Social Security number, and may also contain your address, driver’s license number, and bank account information.”
“We recently suspended a small number of accounts – less than 0.25 percent … after identifying instances of suspicious activity,” a company spokeswoman told SC Magazine. “As a result of our existing processes, we identified the issue early and prevented any further data from being compromised.”
All those affected are being offered a 12 month subscription to ID Experts’ MyIDCare service.
Andrew Komarov, chief intelligence officer at InfoArmor, told eSecurity Planet by email that cybercriminals now have access to toolkits that allow them to brute force and cross-check stolen data from different sources in order to access other services such as TaxAct. And tax data like the information stolen in this case, Komarov noted, isn’t only useful for financial attacks or identity theft. “It reveals a lot of sensitive information about the victim, such as for example, who is employed by specific organizations, which can be useful for cyber espionage targeting,” he said.
Still, Jeff Hill, channel marketing manager at STEALTHbits Technologies, said by email that TaxAct’s statements regarding the breach may ultimately be seen as disingenuous. “They admit the attackers operated for 25 days without detection, but claim credit for identifying the issue ‘early,'” he said. “In addition, they cryptically describe their customers’ credentials as being obtained ‘from an outside source,’ confidently deflecting responsibility without any detail. One can appreciate the clever use of language to minimize concern and sidestep culpability, but it wouldn’t be surprising to find there’s much to this story than meets the eye.”
Last month, a Ping Identity survey of more than 1,000 U.S. enterprise employees found that half of respondents admitted reusing passwords for work-related accounts, and 62 percent admitted reusing passwords for personal accounts.
A recent eSecurity Planet article examined how to secure data in a post-perimeter world.