Scam Report

FTC Charge: ID Theft at TaxSlayer

  2435 Views 
FTC Charge: ID Theft at TaxSlayer
Share this Report!

Online Tax Preparation Service Agrees to Settle FTC Charges

The operator of a Georgia-based online tax preparation service TaxSlayer has agreed to settle Federal Trade Commission allegations that it violated federal rules on financial privacy and security.

In its complaint against TaxSlayer, LLC, the FTC alleged that malicious hackers were able to gain full access to nearly 9,000 TaxSlayer accounts between October 2015 and December 2015.

The hackers used the information they accessed to engage in tax identity theft, which allowed them to obtain tax refunds by filing fraudulent tax returns, according to the complaint.

The FTC charged that TaxSlayer violated the Gramm-Leach-Bliley Act’s Safeguards Rule, which requires financial institutions to implement safeguards to protect the security, confidentiality and integrity of customer information, and the Privacy Rule, which requires financial institutions to deliver privacy notices to customers.

Tax preparation services are responsible for very sensitive information, so it’s critical they implement appropriate safeguards to protect that information,” said Tom Pahl, Acting Director of the FTC’s Bureau of Consumer Protection. “TaxSlayer didn’t have an adequate risk assessment plan, and hackers took over user accounts and committed identity theft.

The FTC alleged that TaxSlayer violated the Safeguards Rule by failing to develop a written comprehensive security program until November 2015; to conduct a risk assessment to identify reasonably foreseeable internal and external risks to security; and to implement information security safeguards that would help prevent a cyberattack.

For example, TaxSlayer failed to implement adequate risk-based authentication measures that would have helped reduce the chances of an attack from hackers who had used stolen credentials to try to gain access to TaxSlayer customer accounts, according to the complaint.

The FTC also alleged that the company did not require consumers to choose strong passwords, exposing customers to the risk that attackers could guess commonly used passwords to access their TaxSlayer accounts.

The FTC also alleged that the company violated the Privacy Rule by failing to provide its customers with a clear and conspicuous initial privacy notice and to deliver it in a way that ensured that customers received it.

This case also demonstrates the importance of password protection,” said Pahl. “Hackers took advantage of people who re-used passwords from other sites, and the attack ended when TaxSlayer eventually required people to use multi-factor authentication.

As part of the settlement with the FTC, the company is prohibited from violating the Privacy Rule and the Safeguards Rule of the Gramm-Leach-Bliley Act for 20 years. Consistent with several past cases involving violations of Gramm-Leach-Bliley Act Rules, the company is required for 10 years to obtain biennial third-party assessments of its compliance with these rules.

The FTC has these tips to fight tax identity theft:

  • File your tax return early in the tax season, if you can.
  • Use a secure internet connection if you file electronically, or mail your tax return directly from the post office.
  • When using an online tax preparation service, look for the tax preparer identification number. The IRS requires all paid tax preparers to have one before filing any returns.
  • To determine if a website is encrypted, look for https at the start of the web address (the “s” is for secure). Some websites use encryption only on the sign-in page, but if any part of your session isn’t encrypted, your entire account could be vulnerable. Look for https on every page you visit, not just when you sign in.
  • Ask tax preparers about their data security policies, and how they protect your information.
  • Respond to all mail from the IRS as soon as possible.

If tax identity theft happens to you, visit IdentityTheft.gov to report it to the FTC, file an Identity Theft Affidavit with the IRS electronically, and get a personal recovery plan.
For more information, check out the FTC’s imposters webpage.

If you spot a scam, report it at ftc.gov/complaint. Your reports help the FTC and other law enforcement investigate scams and bring crooks to justice.

Don't fall for Business Finance Scams

We've verified, rated and reviewed the following companies and consider them to be among the best in the business finance field
When you deal with these companies you know you're in safe hands:
ScamReport.com is free to use because we may earn a commission when you use a service listed on our site. Learn More.

Leave a Reply

Find Trusted Providers

Avoid the scammers - search our directory of trusted companies