US-based tax preparation firm TaxSlayer has admitted that thousands of user records may have been compromised in a data breach, leaving a slew of financial accounts and tax filings at risk. The breach, blamed on what it has called an "unauthorised third party", was identified on 13 January as part of an ongoing security review.
The firm has said it believes usernames and passwords may have been accessed by the unknown hackers. Additionally, social security numbers and even previously filed tax returns are suspected to have been put at risk. According to SC Magazine, the hack has affected a total of 8,800 TaxSlayer users.
Lisa Daniel, director of customer support at TaxSlayer, said in a filing to the Californian Department of Justice that the illegal access took place between 10 October and 21 December 2015. In the filing, Daniels outlined what data is thought to have been exploited and what steps the firm is now taking to mitigate the problem. "The unauthorised third party may have obtained access to any information you included in a tax return or draft tax return saved on TaxSlayer, including your name and address, your social security number, the social security numbers of your dependents, and other data contained on your 2014 tax return," the letter stated.
"We recommend that you immediately change your username and password for any other online account for which you use the same username and password. We also strongly recommend that you obtain an Identity Protection PIN from the IRS. This is a unique PIN assigned to you that would be required to file your tax return. It will ensure that someone else cannot file a return with your social security number."
Despite the investigation showing that sensitive data may have been compromised in the attack, the company maintains in the letter that there is no evidence that the security of TaxSlayer systems remain vulnerable. Instead, hackers could have targeted the accounts via a third-party vendor. Following the incident, TaxSlayer temporarily disabled access to the exposed accounts and told users to make use of two-factor authentication in the future to bolster personal account security. Additionally, the software company has now issued customers with 12 months of free credit monitoring, education materials and an extended insurance policy.
The IBTimes UK contacted TaxSlayer for comment, but had recieved no reply at the time of publication.
The cyber-breach at TaxSlayer follows on from a similar attack uncovered in January against a separate firm called TaxAct that potentially compromised data such as tax returns, social security numbers, driving-license numbers and financial records. It is thought that this attack also took place in late 2015. In a letter dated 11 January, Rob Gettemy, chief operating officer of TaxAct, said: "In addition to your username and password, we have reviewed our website logs for account activity after this attempted access, and found that the tax return(s) stored in your account may have been opened or printed".
As previous hacking activity shows, even the large credit-monitoring firms called in to soften the blow of these attacks can be compromised. Last year, the world's biggest monitoring agency Experian suffered a major data breach that resulted in the loss of 15 million T-Mobile US customer records.