February 15, 2000 7:10 PM PST
Breach exposes H&R Block customers' tax records
The company's Web-based tax preparation service, which is the premier sponsor of Yahoo's Tax Center, experienced a technical glitch that accidentally switched some tax filers' records, H&R Block confirmed today. As a result, when some registered users signed on to the service to work on their tax returns, they instead received someone else's filing--including a social security number, home address, annual income and other highly sensitive information.
"What we discovered was that some of our clients' data was appearing in other clients' data files," said Linda McDougall, vice president of communications for H&R Block. "We're keeping it down until we're convinced that the problem has been corrected."
McDougall emphasized that the problem only affected the Web-based preparation and filing of returns. Taxes processed with H&R Block's preparation software or at one of the company's offices were not exposed, she said.
The software glitch revealed the confidential records of at least 50 people, although the full extent of the problem will not be known until the company completes an internal audit, McDougall said. She added that at least 10 customers have contacted the company about the problem.
"Once we determined this, we took our system offline immediately and we began an audit of our entire customer database," McDougall said.
"We're confident that it wasn't due to a hacker--we feel that it was a software problem within our system," she added. "No return has been filed to the Internal Revenue Service that contains inaccurate data."
This is the second time in two weeks that H&R Block's $9.95 "Do-it-yourself" Net filing service--which more than 300,000 people have used so far this year--has suffered a technical problem and had to be shut down. H&R Block expects to handle more than 650,000 returns via the Net this year.
Other Web sites also have had security concerns in recent months. For example, RealNames, a company that substitutes complicated Web addresses with simple keywords, warned its users last week that its customer database had been hacked, and that user credit card numbers and passwords may have been accessed.
The H&R Block privacy breach was no doubt startling to some users who chose the 40-year-old company over other online services, such as Intuit's TurboTax software. User anxiety was intensified because it occurred on the weekend, making it difficult to locate an H&R Block employee who could address the problem.
Joshua Kasteler of the San Francisco Bay area said he was tackling his EZ 1040 on Sunday when the H&R Block system started to act sluggish. Kasteler logged off, and when he signed on to the password-protected site an hour later, he was given access to the records of another H&R Block customer.
"Instead of my information, it was a gentleman from Texas who worked for Advanced Micro Devices," Kasteler said, noting that the forms also listed the other person's phone number, address, social security number and annual income. "I assumed that someone else has my information, too, because this guy's information fell into my lap. I had this guy's life."
Kasteler said he emailed and called H&R Block but still had not heard back from the firm as of late today. So he decided to call the man whose information he had accessed: James Keech, a maintenance technician who also had trouble with the H&R Block site and had been unable to process his return since Thursday.
"When (Kasteler) called, I was freaking," Keech said. "I was like, 'If he's got it, how many other people have my file and aren't being honest and letting me know.' "
Keech said he called H&R Block and was told that there had been a security problem. He has asked that his data be deleted from the system.
"I'll probably go to a regular tax filing office now," he said. "It would have been easier to fill it out on paper."
The 1040 EZ is a simplified IRS form that does not include information such as itemized deductions, capital gains or rental income.
With the growth of the Net, consumer advocates have been pushing for umbrella data-protection laws to safeguard U.S. computer users, who may be giving up more information in the digital age that makes them vulnerable to fraud and privacy breaches.
The Clinton administration and Congress, however, have been reluctant to pass new privacy laws that impose stricter penalties for firms that don't secure the data they collect. Instead, the U.S. government has favored industry-developed guidelines.