Tax preparation software developer TaxAct disclosed a data breach, leading the company to suspend the accounts of more than 9,000 customers.
The Cedar Rapids, Iowa-based company, part of Blucora Inc., said the data breach affected a small percentage of its customers.
“TaxAct recently suspended a small number of accounts—less than 0.25 percent (less than ¼ of 1 percent)—after identifying instances of suspicious activity,” said a company spokesperson contacted by Accounting Today. “The attacker did not gain access to income tax returns for the vast majority of the suspended accounts. Of those accounts suspended, a very small number, less than 5 percent of the ¼ of 1 percent, involved returns being accessed.”
Criminals may have stolen tax information from approximately 450 of TaxAct’s customers, according to
The company said it was able to limit the damage from the hackers, however.
“As a result of TaxAct’s existing processes, the team identified the issue early and prevented any further data from being compromised,” said a company spokesperson. “TaxAct then partnered with a leading forensic specialist firm to further investigate. This led to the conclusion that the incident was not the result of a security breach of TaxAct systems. Rather, the team believes usernames and passwords for a small number of account holders were obtained from sources outside of TaxAct’s own systems.”
The IRS has been working with tax software vendors, major tax prep chains and state tax authorities this year to improve the security of their software to safeguard against identity theft this tax season (see
There will also be new procedures this tax season to help prevent fraudsters from taking over the accounts of taxpayers. New password standards to access tax software will require a minimum of 8 characters with upper case, lower case, alpha, numerical and special characters. A new timed lockout feature and limited unsuccessful log-in attempts will be part of tax prep software, along with the addition of three security questions. There will also be “out-of-band verification” for email addresses, which is sending an email or text to the customer with a PIN, a practice used throughout the financial sector.
“TaxAct has industry-standard security protocols in place and is taking additional measures to further protect its data from external threats,” said the company spokesperson. “TaxAct continues to proactively identify the best and most secure technology to safeguard its customers’ information.”