Accounting-focused tax software company
The company's post-mortem report said that, for about an hour on Friday morning, 30 paying TaxDome users opened the reporting function, which is meant to be accessible only to TaxDome firms, not their clients. When they used this reporting function, these users accidentally saw high-level reporting with incorrect numbers (revenue earned, number of clients with certain tags, etc.)
TaxDome said that no individual client details were accessible, as users who opened reporting could not open or view detailed information, documents or other personal information belonging to clients of other firms. No identifiable client information (e.g., Social Security numbers, financial accounts, client contact details, or client documents) was visible.
The issue was identified at 11:40 a.m. on Friday; a client notified TaxDome of the error at 12:08 p.m.; the reporting page was shut down to prevent further access at 12:40 p.m.; changes were applied to address the issue at 1:05 p.m.; and reporting was re-enabled in production at 1:20 p.m.
The incident is said to have occurred due to human error, and TaxDome said corrective actions are being taken to prevent it on a system level. The issue was caused by a configuration error, not by hacking or unauthorized access by a third-party actor with malicious action. Specifically, a third party tool that powers the reporting function uses data stored in rows, with row-level security in place to ensure information is not visible between firms. During this incident, RLS was disabled for a single table due to a human error. The reporting system is physically separate from TaxDome's main production system. At no point was TaxDome's production system accessible to any unauthorized users.
TaxDome said it will be implementing additional automated checks and release protocols for the reporting system that would ensure data isolation protection can not be misconfigured by a human error; working with the vendor for the reporting system on a solution for system level enforcement of data isolation protection; and providing additional security training relevant to this incident for employees.
"First and foremost, we sincerely apologize for this incident," said TaxDome CEO Victor Radzinsky. "We understand how important data integrity is to your business and the trust you place in us. While no sensitive personal information was exposed and the issue was promptly contained, we take full responsibility for ensuring the security and reliability of our platform."
