Tax prep firm reaches settlement with FTC over cybersecurity lapses

TaxSlayer, a tax preparation company hacked by a ring of identity thieves in 2015, has agreed to settle a Federal Trade Commission complaint about its cybersecurity and data privacy practices — consenting to adopt a new security program and pay for third-party audits of its services.

“Tax preparation services are responsible for very sensitive information, so it’s critical they implement appropriate safeguards,” said Tom Pahl, acting director of the FTC’s Bureau of Consumer Protection in a statement. “TaxSlayer didn’t have an adequate risk assessment plan.”

The FTC announced the settlement in a statement Tuesday, saying the company was in violation of the Gramm-Leach-Bliley Act’s Safeguards Rule, which requires financial institutions to implement security safeguards to protect customers’ personal information; and its Privacy Rule, which requires financial institutions to tell customers about their privacy practices — the widely ignored “privacy notices” that they distribute.

There is no direct financial penalty, but the company has to bear the costs of the security measures.

TaxSlayer was one of a number of online tax prep outfits that were targeted in 2015 by a group of cybercriminals using so-called list validation attacks — trying to login with millions of username-and-password combinations stolen in previous unconnected data breaches. The attack relies on the fact that most people disregard security best practices and reuse passwords across different accounts. It also only works if the provider of the targeted online account has no countermeasures in place to detect multiple repeat login efforts to different accounts from the same remote computer.

The login attempts on TaxSlayer accounts began on Oct. 10, according to the FTC complaint, which lays out the agency’s view of the company’s violations. They only stopped on Dec. 21, when the company introduced an out-of-band identity authentication factor; requiring those logging in to submit a one-time passcode sent to their phone or email, as well as a username and password. Nearly 9,000 accounts had by then been successfully attacked, the agency says, although the company points out this was fewer than one percent of its online customer base of 900,000-plus.

Once the hackers were logged in, they could e-file fraudulent returns and change the address or the bank account to which refunds were to be sent. The FTC say they successfully did this on “an unknown number” of the 8,882 TaxSlayer Online accounts that were attacked.

The agency says the company only learned of the attacks Jan. 11 2016, when a customer contacted them to complain.

According to the FTC complaint, TaxSlayer only began developing an information security program in November 2015, after the attack by the cybercrime ring began, (but, again, before the company found out about it.) The complaint also alleges that TaxSlayer:

• Failed to require customers to choose a strong password, “which is a standard practice for accounts containing sensitive personal information,” instead allowing any password between eight and 16 characters

• Failed to conduct a risk assessment, “which would have identified reasonably foreseeable [security risks] … including risks associated with inadequate [online identity] authentication”

• Failed to use risk-based authentication measures, which allowed hackers to try logging onto multiple different accounts one after the other from a remote computer

• Failed to inform customers when a material change was made to the mailing address, bank account or password associated with their account

• Failed to validate an email address when the account was first created, meaning they had no reliable way of communicating with customers

TaxSlayer declined to provide an executive to comment for this article. The company noted it was one a series of tax prep companies attacked by the highly organized hacker ring, and says that it was part of IRS’s Security Summit an industry group “which works diligently to research and formulate industry-wide protections of taxpayer information.”

The company added that, as soon as it learned of the hack, “TaxSlayer reacted instantly and self-reported the attack to the IRS and took immediate remediation efforts that have become standardized in response to such attacks. As part of our ongoing efforts to provide customers with the highest quality software and technology, we implemented increased security procedures and stricter authentication measures. ”