Security Flaw in Florida Tax Website Exposed Filers’ Data

Total times read this article : 11

If you bank in Florida you might want to read this one. A security flaw in Florida’s Department of Revenue website left hundreds of taxpayers’ Social Security numbers and bank account numbers exposed.  

According to security researcher Kamran Mohsin(Opens in a new window) who found the now fixed flaw, anyone who logged in to the state’s business tax registration website could access, modify and delete the personal data of business owners whose information is on file with the state’s tax authority by altering the web address that contains the taxpayers’ application number.

There were over 713,000 applications in the Department’s pipeline at the time of the discovery, Mohsin said. The security researcher alerted the Florida Department of Revenue about the flaw on Oct. 27, and the flaw was fixed within four days. According to TechCrunch who spoke with Mohsin, he has not heard back from the Department since.

In an email to TechCrunch, spokesperson Bethany Wester said: “The vulnerability allowed the external individual to view registration data submitted by taxpayers, including 417 registrations that contained confidential information. Within a two-day timeframe, the Department attempted to contact each affected business by phone and had contacted all affected taxpayers by phone or in writing within four days. The Department has also offered one year of complimentary credit monitoring to each affected taxpayer.”

The Department also told TechCrunch that it has identified “no sign of exploitation prior to this breach,” but did not say if it had the technical means, such as logs, to establish if there was evidence of prior exploitation or data exfiltration.

Recommended by Our Editors

In 2018, a similar security breach affected 75,000 users of Healthcare.gov(Opens in a new window). According to Engadget, a significant amount of personal information including partial Social Security numbers, tax information and immigration status was compromised but no financial information was stolen.

SecurityWatch newsletter for our top privacy and security stories delivered right to your inbox.”,”first_published_at”:”2021-09-30T21:22:09.000000Z”,”published_at”:”2022-03-24T14:57:33.000000Z”,”last_published_at”:”2022-03-24T14:57:28.000000Z”,”created_at”:null,”updated_at”:”2022-03-24T14:57:33.000000Z”})” x-show=”showEmailSignUp()” class=”rounded bg-gray-lightest text-center md:px-32 md:py-8 p-4 mt-8 container-xs” readability=”31.423799582463″>

Like What You’re Reading?

Sign up for SecurityWatch newsletter for our top privacy and security stories delivered right to your inbox.

This newsletter may contain advertising, deals, or affiliate links. Subscribing to a newsletter indicates your consent to our Terms of Use and Privacy Policy. You may unsubscribe from the newsletters at any time.

Facebook Comments Box

Hits: 0

RELATED ARTICLESMORE FROM AUTHOR