If you bank in Florida you might want to read this one. A security flaw in Florida’s Department of Revenue website left hundreds of taxpayers’ Social Security numbers and bank account numbers exposed.
According to security researcher Kamran Mohsin who found the now fixed flaw, anyone who logged in to the state’s business tax registration website could access, modify and delete the personal data of business owners whose information is on file with the state’s tax authority by altering the web address that contains the taxpayers’ application number.
There were over 713,000 applications in the Department's pipeline at the time of the discovery, Mohsin said. The security researcher alerted the Florida Department of Revenue about the flaw on Oct. 27, and the flaw was fixed within four days. According to TechCrunch who spoke with Mohsin, he has not heard back from the Department since.
In an email to TechCrunch, spokesperson Bethany Wester said: “The vulnerability allowed the external individual to view registration data submitted by taxpayers, including 417 registrations that contained confidential information. Within a two-day timeframe, the Department attempted to contact each affected business by phone and had contacted all affected taxpayers by phone or in writing within four days. The Department has also offered one year of complimentary credit monitoring to each affected taxpayer.”
The Department also told TechCrunch that it has identified “no sign of exploitation prior to this breach,” but did not say if it had the technical means, such as logs, to establish if there was evidence of prior exploitation or data exfiltration.
In 2018, a similar security breach affected 75,000 users of Healthcare.gov. According to Engadget, a significant amount of personal information including partial Social Security numbers, tax information and immigration status was compromised but no financial information was stolen.