[Dataloss] Turbo Tax Error

Dissent Dissent at pogowasright.org
Mon Apr 9 15:17:50 UTC 2007 

http://www.wrcbtv.com/news/index.cfm?sid=7473


A Nebraska woman recently discovered a shocking flaw with a website 
thousands of people use to prepare their taxes. Instead of taking 
advantage of this potential gold mine for identity thieves, she is 
calling attention to it to protect other taxpayers.

In her laptop, Jennifer discovered a key to the backdoor of some tax 
returns filed on line through Turbo Tax.

A Turbo Tax customer herself, Jennifer attempted to access some past 
filings and the route she took online opened returns for several 
others with the same last name, but different first initials.

For security reasons we're not revealing the common last name or how 
Jennifer inadvertently gained access to three other Turbo Tax accounts.

She was able to access tax returns for three Turbo Tax customers she 
never met in different parts of the country.

There on her screen, everything needed for electronic filing from 
bank account to routing digits and of course social security numbers.

An Omaha based official with the Turbo Tax parent company says the 
inadvertent access to some tax files came as a shock.

"We think it was a quirk, an individual circumstance as far as we 
know. So what we did is we took that link down in the product for now 
until we can fully investigate to make sure the issue won't happen 
again to anybody else," says Gordon Whitten.

Jennifer wouldn't want an internet stranger peeking into her tax 
filings so she'll delete any information that opened the back door to 
others with the same last name.

This does not involve the Turbo Tax software, only the website that 
allows taxpayers to create an account and do their taxes there.

Company officials say the inadvertent window of opportunity for 
potential thieves has been closed. Turbo Tax has not received any 
reports of customer accounts being accessed by identity thieves, and 
says it is grateful the Nebraska customer brought it to the company's 
attention.

--
Main site: http://www.pogowasright.org
Main RSS feed: http://www.pogowasright.org/backend/pogowasright.rss
Breaches RSS feed: http://www.pogowasright.org/backend/breaches.rss

More information about the Dataloss mailing list