BSidesLV Preview: Your Taxes are Being Leaked

Even if you don’t store your tax data in financial software yourself, chances are your CPA or tax preparer does.

Have you ever wondered what kind of software or security procedures your trusted advisor has in place to protect your name, address, W-2, tax filings, or Social Security Number? Better yet, have you audited them? I have, and you won’t believe what I found.

The tax preparation market is a $11 billion industry with nearly half the revenue generated from North America. Yet, there’s little-to-no oversight on the software vendors and preparers handling your sensitive data.

According to a 2017 survey of over 3,500 CPAs, five flavors of tax software make up 90% of the market share in small firms ranging from 1-20 preparers (Bonner, 2017). We may trust our tax preparer. After all, we gave them all our financial data. But what about the software they are using to file our taxes. Is it secure?

In my upcoming talk at BSidesLV 2018, I’ll go into detail about the overall lack of information security in the financial/tax industry, more specifically, how CPA and tax preparation firms are leaving your data exposed.

During a recent security assessment of a CPA firm, I discovered an information disclosure vulnerability in one of the top five most-used tax preparation software in the world. My talk at BSidesLV will describe the findings and how an attacker could obtain thousands of Social Security Numbers in a matter of seconds.

For many years, small CPA firms justified their lack of information security controls because they were too small to be a target. “Why would I be a target with 10 CPAs and 5,000 customers when EY has millions of customers?” is a common theme among smaller tax preparation firms. However, small firms may be more of (Read more...)