TaxSlayer Breach: Dissecting The Latest Cyberhack

bitsight-blog
Jake Olcott
Written by Jake Olcott
VP of Communications and Government Affairs, Bitsight

Cyberhacks in the online tax software service and software realm have been extremely prevalent in the last year. In August of 2015, the Internal Revenue Service (IRS) revealed that hackers had gained access to sensitive information about over 334,000 Americans by taking advantage of the IRS's Get Transcript database. This function allowed taxpayers to gather data from their previous tax returns, but hackers were able to leverage this function to their advantage in order to gather enough personally identifiable information to steal identities.

In mid-January 2016, tax software vendor TaxAct froze 9,000 user accounts when it was discovered that those accounts had been breached in November and December of 2015. A TaxAct spokesperson, as cited in this Forbes article, noted that the breach wasn’t very large and only affected 0.25% of TaxAct’s accounts—but it still allowed hackers to gain access to names and social security numbers of the victims.

But more recently, the headlines have been focused on a data breach from an online tax preparation software firm, TaxSlayer. This breach is even more important, because it was caused by a third party. TaxSlayer learned of this data breach—which happened between October and December of 2015—in mid-January, and notified affected customers in late January. The Hill reports that over 8,800 customers’ tax returns were compromised in the breach and that the company believes the hackers gained access by stealing credentials from an unnamed third party.

In a filing with the Justice Department in California, TaxSlayer revealed that the hackers “may have obtained access to any information [the customer] included in a tax return or draft tax return saved on TaxSlayer, including...name and address...Social Security number, the Social Security numbers of [their] dependents, and other data contained on [their] 2014 tax return.”

Not much more has been disclosed about the breach, and we’re unsure what the relationship with the third party was. But the fact that a third party was breached to obtain highly sensitive materials—that could be used to steal someone’s identity—is extremely important. We can’t break down what TaxSlayer did or did not do to understand the security posture of their vendors, but we can walk through some critical steps that you’ll want to take (if you haven’t already) in order to prepare for any cybersecurity incidents:

1. Assess your critical vendors.

To protect your organization’s corporate network, you need to be able to understand which vendors have access—and how much access they have. You’ll want to take a look at every third party and see what valuable information they have access to. Then you’ll want to limit each vendor’s privileges as much as possible, so they only have access to as much data as they need to do their job successfully.

2. Ensure your contract is airtight.

Do your third-party contracts specify the security expectations of the vendor? Many contracts are written in general vernacular—but this can prove to be a costly mistake. Asking your vendor to “provide notice to you in light of a breach in a reasonable amount of time” could be interpreted a number of ways. Using specific language can act as another safeguard for your organization should something happen to your data through a vendor breach.

3. Take necessary precautions.

If your customer’s data is hacked via a third party, you have a fiduciary (and often legal) duty to your customers. In TaxSlayer’s case, they offered a free credit monitoring service for one year, a one-million-dollar insurance reimbursement policy, and more[MS4] . We are unsure of whether TaxSlayer had purchased cyber insurance to cover some of these costs—but if they did, they may have taken a great deal of the financial burden off of themselves.

4. Use a continuous monitoring solution.

You can put a number of safeguards in place to examine your network and your vendors’ networks—but these examinations only offer insight on vulnerabilities for moment in time. What about the other 364 days of the year? That’s the question that forms the basis of continuous risk monitoring. This technology allows you to see—on a day-to-day basis—who is interacting with your data and be alerted should any new security issues arise. This won’t prevent you or your vendors from vulnerabilities—but it will prepare you for them.

In Conclusion

It’s important to note that TaxSlayer—as well as the IRS and TaxAct—may have been diligent about their vendor risk management and still have experienced this breach. But if you aren’t following through on these important steps, the fact is, you’re acting negligently—so make every effort to create an in-depth plan before you have a crisis on your hands.