[ISN] H&R Block Mailing Reveals Customers' SSNs

InfoSec News isn at c4i.org
Wed Jan 4 06:08:33 EST 2006


http://www.eweek.com/article2/0,1895,1907596,00.asp

By Paul F. Roberts 
January 3, 2006 

Some H&R Block customers who received free copies of the company's
TaxCut software also had their Social Security numbers exposed,
according to a company spokesperson.

H&R Block sent a letter to customers in late December saying that a
tracking number used on packages containing TaxCut contained the
customer's Social Security number as part of a unique, 47-digit
tracking number.

H&R Block blamed user error for the slip and said the number would be
impossible to spot, and that no customer data has been lost or stolen
as a result of the mistake, according to Denise Sposato, a
spokesperson for H&R Block.

H&R Block learned of the slip-up in late December, after a customer
informed the company that a unique ID that appeared on the package,
above the mailing label, contained his or her Social Security number.

The number is used by H&R Block's marketing department, Sposato said.

After learning of the mishap, H&R Block moved quickly to identify the
source of the error and customers who were affected by it, Sposato
said.

The Kansas City, Mo., company said it believes that less than 3
percent of those who were mailed a copy of TaxCut had their Social
Security numbers used.

Sposato declined to say how big the mailing was or to provide an
estimate of how many of the company's current and former customers
were affected.

Sposato said the incident was an accident and "completely contrary to
established procedure" at company, which makes its money helping
individuals prepare and file tax returns.

Social Security numbers are not used to track other mailings, nor are
they used to derive the unique tracking numbers used on mailings, she
said.

H&R Block informed customers of the mistake in a letter, and set up a
Web page on the company's site with information for those whose Social
Security numbers were disclosed.

H&R block feels the risk of identity theft is minimal, Sposato said.

This is the first year that H&R Block mailed the TaxCut software to
current and former customers. Some of those receiving the tax
preparation software have not used H&R Block for a year or more,
Sposato said.

H&R Block has notified its compliance officer about the problem, but
declined to say whether authorities or federal regulators were
informed of the information leak.

The news from H&R Block is just the latest in a long string of
disclosures of corporate data leaks.

Just last week, Marriott Vacation Club International, a division of
Marriott International Inc., said computer backup tapes with
information on more than 200,000 customers disappeared from the
company's Orlando, Fla., offices. The tapes may contain credit card
numbers, Social Security numbers and addresses of customers of the
timeshare property business.

Data privacy will be a top issue for federal lawmakers in 2006. The
U.S. Congress will consider a federal data breach notification law
next year, in addition to new regulations aimed at spyware programs.





More information about the ISN mailing list