Sponsored Links

Security flaw in Florida tax website exposed filers' sensitive data

The state fixed the bug, which even revealed Social Security numbers.
MIAMI, FL - DECEMBER 22:  A copy of a IRS 1040 tax form is seen at an H&R Block office on the day President Donald Trump signed the Republican tax cut bill in Washington, DC  on December 22, 2017 in Miami, Florida. Kathy Pickering, vice president of regulatory affairs and executive director of The Tax Institute at H&R Block released a statement about the new tax bill saying, " It's going to change the way you think about and plan your income taxes. You'll need to take a fresh look at your individual situation to know your outcome and new strategies to use to get the best tax outcome."  (Photo by Joe Raedle/Getty Images)
Joe Raedle/Getty Image
Jon Fingas
Jon Fingas|@jonfingas|December 2, 2022 4:57 PM

Some Florida residents may be keeping a close eye on their finances after a security incident. Researcher Kamran Mohsin tells TechCrunch that Florida's Department of Revenue website had a flaw that exposed hundreds of filers' bank account and Social Security numbers. Anyone who logged in to the state business tax registration site could see, modify and even delete personal data just by modifying the web address pointing to a taxpayer's application number — you just needed to change the digits in the link.

There were over 713,000 applications in the Department's pipeline at the time of the discovery, Mohsin said. Mohsin warned the Department about the flaw on October 27th.

Department representative Bethany Wester said in a statement that the government fixed the flaw within four days of the report, and that two unnamed firms have deemed the site secure. She added there was "no sign" attackers abused the flaw, but didn't say how officials might have spotted any misuse. The agency contacted every affected taxpayers by phone or writing within four days of learning about the issue, and has offered a year of free credit monitoring.

Turn on browser notifications to receive breaking news alerts from Engadget
You can disable notifications at any time in your settings menu.
Not now

Bugs like these, known as insecure direct object references, are relatively easy to fix. The damage might also be limited compared to other tax-related breaches, such as a Healthcare.gov intrusion that compromised about 75,000 people in 2018. However, the incident underscores the potential harm from weak security — even a small-scale exposure like this could be used to commit tax fraud and steal refunds.

All products recommended by Engadget are selected by our editorial team, independent of our parent company. Some of our stories include affiliate links. If you buy something through one of these links, we may earn an affiliate commission. All prices are correct at the time of publishing.
Security flaw in Florida tax website exposed filers' sensitive data