I have been a user of the TurboTax Web-based service for about four years now. I have found it to be quite convenient and easy to use. But working at Computerworld, and regularly reading articles about retailers, government agencies, and universities losing or leaking personal data of ordinary citizens, I have always had a niggling worry at the back of my mind: How well does Intuit (the parent company of TurboTax) protect my data, and the data of millions of other customers? We have a great deal of faith that this private company is treating some of our most important personal data -- social security numbers, birthdates, salaries, charitable giving, and addresses -- with the utmost care.
Yet when I calculated my taxes last week using TurboTax for the Web, I hesitated when I was given the option of having our federal and state refunds deposited directly to our bank accounts. Part of the reason is I like to have paper records of every interaction with the federal government, but the other reason is I did not feel comfortable giving Intuit yet another piece of critical personal information -- bank account numbers and routing information. This is despite the TurboTax prompt that said "Rest assured, your data will be kept safe".
I was right to be reluctant. It turns out that our data was not kept safe. A woman in Nebraska reports that she was able to access the tax records of other people having the same last name, and see social security numbers and bank information:
In her laptop, Jennifer discovered a key to the backdoor of some tax returns filed online through Turbo Tax.
A Turbo Tax customer herself, Jennifer attempted to access some past filings, and the route she took online opened returns for several others with the same last name, but different first initials.
For security reasons we're not revealing the common last name or how Jennifer inadvertently gained access to three other Turbo Tax accounts.
She was able to access tax returns for three turbo tax customers she never met in different parts of the country.
There on her screen, everything needed for electronic filing from bank account to routing digits and of course social security numbers.
The Intuit spin masters have attempted to portray this as an isolated incident, but I don't believe it for a moment. The fact of the matter is the company has no idea how many of its customers may have had their information revealed to other customers -- or thieves. And if a customer was able to uncover this flaw, how many other as-yet unreported flaws are still affecting the TurboTax software? The Slashdot thread has been withering in its criticism of TurboTax, blaming everything from the IRS' E-File program to incompetent developers, but at least one person claims that he noted poor TurboTax security practices earlier in the year and tried to report them to the company.
Additionally, TurboTax is not the only other "trusted" organization that has exposed sensitive records on the Web. Honeywell International, the U.S. Navy, the Better Business Bureau, and AOL have all been caught posting sensitive information on websites they control. Many more cases are listed here.
So, what do I and other TurboTax customers do next? While I was prudent to not reveal my bank information to TurboTax, they still have many other keys to the castle which could conceivably be used for identity theft. It's clear from Intuit's public statements that they really don't know how many people were affected, and chewing out a customer service rep wouldn't do much good. Instead, I'll have to go to the big credit agencies -- Experian, TransUnion, and Equifax -- and see if there are any signs of identity theft. The credit agencies, in my view, are part of the ID theft problem in this country, and have the gall to charge consumers for "protection" services to prevent strangers from abusing their own personal information. However, in my state they are required to give free credit reports every year to residents who request them -- and that's what I'll be doing now.