TaxSlayer breached: 8,800 customers notified PII may be compromised
TaxSlayer is blaming an unnamed third party for a breach that may have compromised the PII of more than 8,000 customers.
Tax preparation software publisher TaxSlayer notified about 8,800 of its customers last week that an unauthorized third party may have gained access to the personal information contained on their tax return.
The company said that on January 13, 2016, it became aware that hackers had accessed some of their customers' accounts. TaxSlayer told SCMagazine.com in an email Monday it believed the usernames and passwords that were used to compromise these accounts were taken from a third party vendor. However, TaxSlayer refused to identify this company or the role it plays within their system.
The illegal access took place between Oct. 10, 2015 and December 21, 2015, TaxSlayer said in an official filing with the State of California Department of Justice.
“The unauthorized third party may have obtained access to any information you included in a tax return or draft tax return saved on TaxSlayer, including your name and address, your Social Security number, the Social Security numbers of your dependents, and other data contained on your 2014 tax return,” the company said in its letter to the affected customers.
The 8,800 people represent less than one third of one percent of TaxSlatyer database,” said Steven Binder Taxslayer's chief marketing officer, in a written release obtained by SCMagazine.com.
“Evidence shows that the unauthorized access did not occur as a result of a vulnerability to our systems. Nor do we believe that usernames and passwords stored on our systems were accessed and compromised. However, we believe that user credentials, stolen from other sources, were then used to misrepresent our customers and therefore access our program. We have no reason to believe that third party was in any way related to TaxSlayer, rather an as-yet-unidentified criminal element," a TaxSlayer spokesperson said to SCMagazine.com in an email Tuesday.
The company is making $1 million worth of identity theft insurance available to those affected for one year along with credit monitoring for the same period. The company is recommending that these individuals change not only their TaxSlayer user names and passwords, but also those on any other accounts on which they are used.
TaxSlayer joins TaxAct, which earlier this month reported it had suffered a similar breach.