A security breach in Florida’s tax website exposed sensitive filer data

Some Florida residents may be watching their finances closely after a security incident. Researcher Kamran Mohsin recount Tech Crunch that the Florida Department of Revenue’s website had a flaw that exposed hundreds of filers’ bank accounts and social security numbers. Anyone logging into the state’s business tax registration site could see, edit, and even delete personal data by simply changing the web address pointing to a taxpayer’s application number – all you had to do was change the numbers in the link.

There were more than 713,000 applications in the department’s pipeline at the time of discovery, Mohsin said. Mohsin notified the Department of the flaw on October 27.

Department Representative Bethany Wester said in a statement that the government patched the flaw within four days of the report and two unnamed companies deemed the site secure. She added that there were “no signs” that the attackers abused the flaw, but did not elaborate on how officials could have spotted misuse. The agency contacted all affected taxpayers by phone or in writing within four days of learning of the issue, and offered a year of free credit monitoring.

Bugs like these, known as insecure direct object references, are relatively easy to fix. Damages could also be limited compared to other tax-related offences, such as a Healthcare.gov intrusion which compromised an estimated 75,000 people in 2018. However, the incident underscores the potential harm of weak security – even small-scale exposure like this could be used to commit tax evasion and steal refunds.