DATA BREACH AT TAX ACT

[Lee B]

COPIED FROM ACCOUNTING TODAY:

Tax preparation software developer TaxAct disclosed a data breach, leading the company to suspend the accounts of more than 9,000 customers.

The Cedar Rapids, Iowa-based company, part of Blucora Inc., said the data breach affected a small percentage of its customers.

“TaxAct recently suspended a small number of accounts—less than 0.25 percent (less than ¼ of 1 percent)—after identifying instances of suspicious activity,” said a company spokesperson contacted by Accounting Today. “The attacker did not gain access to income tax returns for the vast majority of the suspended accounts. Of those accounts suspended, a very small number, less than 5 percent of the ¼ of 1 percent, involved returns being accessed.”

SourceMedia's Partner Insights program enables marketers to deliver relevant content and insights directly to the Accounting Today audience via SourceMedia's digital media platforms. Partner Insights content is produced by the marketer. To find out more, contact Jack Lynch at [email protected]

Criminals may have stolen tax information from approximately 450 of TaxAct’s customers, according to The Wall Street Journal. The company sent a letter to 450 of its customers notifying them of a data breach occurring between Nov. 10 and Dec. 4, 2015, warning that their names, Social Security Numbers and tax returns may have been accessed.

The company said it was able to limit the damage from the hackers, however.

“As a result of TaxAct’s existing processes, the team identified the issue early and prevented any further data from being compromised,” said a company spokesperson. “TaxAct then partnered with a leading forensic specialist firm to further investigate. This led to the conclusion that the incident was not the result of a security breach of TaxAct systems. Rather, the team believes usernames and passwords for a small number of account holders were obtained from sources outside of TaxAct’s own systems.”

The IRS has been working with tax software vendors, major tax prep chains and state tax authorities this year to improve the security of their software to safeguard against identity theft this tax season (see IRS Kicks Off Tax Season). They are sharing more than 20 data elements to help authenticate tax returns.

There will also be new procedures this tax season to help prevent fraudsters from taking over the accounts of taxpayers. New password standards to access tax software will require a minimum of 8 characters with upper case, lower case, alpha, numerical and special characters. A new timed lockout feature and limited unsuccessful log-in attempts will be part of tax prep software, along with the addition of three security questions. There will also be “out-of-band verification” for email addresses, which is sending an email or text to the customer with a PIN, a practice used throughout the financial sector.

“TaxAct has industry-standard security protocols in place and is taking additional measures to further protect its data from external threats,” said the company spokesperson."

[jklcpa]

From the linked article entitled "IRS Kicks Off Tax Season", specifically addressing security:

Security Improvements
The IRS has also boosted security this tax season in an effort to combat identity theft, partnering with state tax authorities, tax software vendors and major tax preparation chains. More than 20 shared data elements will help the software industry and the IRS stop fraudulent returns at the door, the IRS said in an email Tuesday.

For example, the IRS will receive information from software providers about the duration of time it took to create the return. This will help identify the computer-generated tax returns that are fraudulent and filed in bulk.

The IRS, states and tax industry will also share details of any fraudulent schemes they see on a frequent basis so everyone will have the same information and adjust accordingly to provide increased protection to taxpayers.

The IRS said the most publicly visible aspect of these partnership efforts will be for those taxpayers who prepare their own tax returns using tax software or online products. There will be new procedures that will help prevent fraudsters from taking over the accounts of taxpayers. These include: 

• New password standards to access tax software will require a minimum of 8 characters with upper case, lower case, alpha, numerical and special characters.

• A new timed lockout feature and limited unsuccessful log-in attempts.

• The addition of three security questions.

There will also be “out-of-band verification” for email addresses, which is sending an email or text to the customer with a PIN—a common practice used throughout the financial sector.