Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Taxpayers. Show all posts

IRS Accidentally Published Private Data of Nearly 120,000 Taxpayers

 

The Internal Revenue Service confirmed last week that it had accidentally exposed data for taxpayers’ IRAs to some non-profits and other tax-exempt entities, following a Wall Street Journal report that stated approximately 120,000 taxpayers who filed a form 990-T may have been impacted by the error.

Form 990-T is used for reporting 'unrelated business income' paid to a tax-exempt organization, such as nonprofits (charities) or IRA and SEP retirement accounts. The income is commonly generated from sales unrelated to a nonprofit's primary motive or real estate investments that pay income into an individual retirement account. 

According to the Treasury Department, only 501(c)(3) organizations are bound to make their Form 990-T available for public inspection. But in this case, a human coding error resulted in data from some non-501(c)(3)s also being made available for bulk download through the IRS' search portal for tax-exempt organizations. 

The Washington-based department stated the data leak was unearthed on August 26 but didn’t disclose how long the confidential information had been publicly available. Exposed data included names, contact details, and reported income for those IRAs. However, social security numbers, individual tax returns, and other sensitive data were not leaked. 

“The IRS recently discovered that some machine-readable (XML) Form 990-T data made available for the bulk download section on the Tax Exempt Organization Search (TEOS) should not have been made public. This section is primarily used by those with the ability to use machine-readable data; other more widely used sections of TEOS are unaffected.” Anna Canfield Roth, the Treasury’s acting assistant secretary for management, said in the letter. 

The Treasury announced that the data has been removed from the website, and the agency will replace them with the correct documents in the coming weeks. The IRS also plans to contact all the impacted taxpayers. Additionally, the IRS will notify Congress as it is bound to inform of any security incident involving more than 100,000 individuals under the Federal Information Security Modernization Act. 

“The IRS took immediate steps to address this issue. The files have been removed from IRS.gov and will be replaced with updated files in the near future. The IRS is continuing to review this situation. The Treasury Department has instructed the IRS to conduct a prompt review of its practices to ensure necessary protections are in place to prevent unauthorized data disclosures,” Roth further stated.

Attackers Targeted Robinhood with a Phishing Campaign

 

Attackers have targeted clients of stock-trading broker Robinhood with a phishing campaign planned to steal their credentials and spread malware utilizing counterfeit tax documents, the organization has cautioned.

Robinhood Markets, Inc. is an American financial services organization settled in Menlo Park, California, known for offering commission-free trades of stocks and exchange-traded funds through a mobile application presented in March 2015. Robinhood is a FINRA-managed broker-dealer, enlisted with the U.S. Securities and Exchange Commission, and is a member of the Securities Investor Protection Corporation. The organization's revenue comes from three fundamental sources: interest earned on customers' cash balances, selling order information to high-frequency traders (a practice for which the SEC opened an investigation into the company in September 2020), and margin lending. As of 2020, Robinhood had 13 million clients. 

Robinhood, has confronted various regulatory and legal difficulties along the way, sent an email to clients Thursday warning of a phishing scam “that may have reached some of our customers.” 

Attackers targeted clients in two ways, as per the email. One assault vector utilized phishing emails with links to counterfeit Robinhood sites provoking visitors to enter their login credentials, including authentication codes the organization uses to help guarantee the security of individuals' accounts. Other emails saw assailants exploiting the tax season, requesting potential victims to download counterfeit tax files, for example, Form 1099—that included malware, as per the email. 

“There tends to be an increase in these types of emails around tax season, so we ask that you be extra careful about how you access your Robinhood account,” as per the email. Robinhood recommended individuals check the strength of safety features of the application on their gadgets, manually eliminating any gadgets they don't perceive from accessing and resetting passwords on the off chance that they believe they might be in danger. The organization likewise urged clients to reach out to its support team directly from the Robinhood application or its site. 

One of the main grievances among Robinhood clients was that they couldn't reach the company for support, causing regulators like the Securities and Exchange Commission (SEC) to become de facto customer support for the platform’s clients.

Taxpayers Personal Data Exposed Online in the UK

 

Different local councils in the UK have conveyed SMS to a huge number of citizens to encourage them to cover outstanding sums. The messages contained links to online databases that facilitated lists of different citizens whose information shouldn't be available to any other person. Lamentably, there was no security or any type of verification to keep the leak from occurring, so a large number of UK taxpayers have had their complete names, home addresses, and outstanding debts exposed.

The blunder was the work of Telsolutions Ltd., an organization that has given the contact and communication services to the local councils, which was contracted to urge tax defaulters to pay up. This is a typical strategy that is trailed by private and public entities around the world. Other than the psychological repercussions for the recipients of these messages, there is also the danger of data exposure.  

Other than SMS, the council tax services likewise use emails and surprisingly recorded voice messages. The entirety of this makes the space for tricksters to move in also, as taxpayers having to deal with official communications with their state through third-parties is the ideal setting for trickery. The information of this exposure reached The Register, who checked and affirmed that the information was indeed accessible via the sent short links. The entirety of the shared URLs have been taken offline now as both Telsolutions and some of the authorities were informed about the mistake. However, as the UK press webpage affirms, web crawlers have already caught some of these public entries, empowering individuals to search others and see their addresses, tax debts, etc.

After investigating the enumerable URLs, it was found that London's Bexley Council, a client of the Telsolutions service, had implemented no authentication at all. Anybody could unreservedly see the full details of an alleged tax defaulter in the borough without proving their identity. To see the data of another taxpayer, the recipient should have simply followed the URL from the SMS, modify the alphanumeric characters, and click a button labeled "proceed". 

Altogether, apparently, 14 councils have followed the same erroneous method after trusting the particular service provider. That incorporates Barnet, Bexley, Brighton, Cardiff, Coventry City, Greenwich, Lambeth, Redbridge, Southampton City, and Walsall.