Florida's Tax Website Exposes Hundreds of Sensitive Data: Filers' Bank Accounts, Social Security Numbers

Known as Insecure Direct Object Reference (IDOR).

A security researcher revealed a flaw on the Florida Department of Revenue website, exposing at least hundreds of tax filers' Social Security Numbers and bank account numbers.

California Tax Payers Rush To Meet Tax Filing Deadline
OAKLAND, CA - APRIL 10: Tax forms from previous years are displayed at Latino Taxes April 10, 2007 in Oakland, California. U.S. taxpayers are rushing to meet the Tuesday, April 17th deadline for filing their 2006 taxes. Justin Sullivan/Getty Images

Tax Website Exposes Sensitive Data

Security Researcher Kamran Mohsin revealed a now fixed security flaw that has been detected on Florida's Department of Revenue website. According to a report from TechCrunch, it exposed taxpayers' sensitive data including bank account numbers and social security numbers.

This is known as Insecure Direct Object Reference (IDOR), which is a flaw category that exposes data stored on a server with weak security controls. However, these types of flaws can be fixed immediately unlike other bugs.

Moshin and everybody else who logged in to the state business tax website were allowed to access, modify, and even delete personal data by just modifying the web address that points to a certain application number of a taxpayer.

More than 713,000 applications were in the system of the Department during the time that Mohsin discovered the security flaw. He also stated that he warned the Florida Department of Revenue on October 27th, with a provided email address to address the report. Although the bug was fixed, he stated that he was not contacted by the department since.

Government's Response

Fortunately, Engadget reported that the government fixed the flaw within four days of the report. Department Representative Bethany Wester stated that two firms have deemed the site for it to be secured.

"The vulnerability allowed the external individual to view registration data submitted by taxpayers, including 417 registrations that contained confidential information," she stated. Despite this, there are no signs of attackers that abused the flaw. Weak security may lead or could be used to commit tax fraud and steal refunds.

For transparency, the department contacted every affected tax filer by phone or in writing regarding this matter within four days. Adding to this, free credit monitoring was offered for much tighten security.

In some cases, hackers took advantage of these kinds of flaws. Healthcare.gov experienced the same situation last 2018 when sensitive data has also been stolen in a security breach. The Centers for Medicare and Medicaid Services (CMS) stated that Social Security Numbers, tax information, and immigration status was obtained during the breach, which affected 75,000 people.

Verizon also experienced a data breach that exposed employees' full names, corporate identification numbers, email addresses, and phone numbers in May.

An Australian-based health insurance called Medibank Private also experienced a data breach last month where it exposed data of 9.7 million current and former customers and their authorized representatives, which include names, dates of birth, address, phone number, and email address.

Written by Inno Flores
TechTmes TechTimes
ⓒ 2024 TECHTIMES.com All rights reserved. Do not reproduce without permission.
Join the Discussion
Real Time Analytics