TaxSlayer Settles FTC Charges That Lax Security Led To Identity Theft

Image courtesy of (afagen)

Sure, it might be convenient to do your own income tax preparation online, but it could be risky: Scammers all over the globe have exploited these risks, slurping billions of dollars’ worth of ill-gotten tax refunds into their bank accounts. In order to prevent even more of this, federal regulators have settled charges TaxSlayer violated federal rules on financial privacy and security.

Tax returns include sensitive financial information, after all, including Social Security numbers, employment information, and the amount each person is really due in taxes. Access to a tax return gives the person filing them the ability to change addresses and bank accounts and receive someone else’s tax refund.

While the Internal Revenue Service has taken steps to protect taxpayers against having their refunds shipped to scammers or even shipped out of the country, the Federal Trade Commission says that TaxSlayer’s lax security and privacy practices hurt their customers [FTC].

The FTC notes that the company failed at some pretty basic security safeguards [PDF], including protecting users against having their credentials from other sites re-purposed on the TaxSlayer site, or notifying customers when the mailing address, password, security question, or banking information associated with their accounts had changed.

It also didn’t require customers to choose complex passwords, an important safeguard against hackers gaining access to accounts.

Even though it holds financial information, the company didn’t develop a written comprehensive security program until Nov. 2015. The company also didn’t issue a written privacy policy to customers, which it was required to do.

The company is now required to get third-party assessments of its security practices every two years for the next ten years, and will face harsher penalties if it is caught violating the Safeguards Rule or the Financial Privacy Rule in the next 20 years.