Even if you don’t store your tax data in financial software yourself, chances are your CPA or tax preparer does. Have you ever wondered what kind of software or security procedures your trusted advisor has in place to protect your name, address, W-2, tax filings, or Social Security Number? Better yet, have you audited them? I have, and you won’t believe what I found. The tax preparation market is a $11 billion industry with nearly half the revenue generated from North America. Yet, there’s little-to-no oversight on the software vendors and preparers handling your sensitive data. According to a 2017 survey of over 3,500 CPAs, five flavors of tax software make up 90% of the market share in small firms ranging from 1-20 preparers (Bonner, 2017). We may trust our tax preparer. After all, we gave them all our financial data. But what about the software they are using to file our taxes. Is it secure? In my upcoming talk at BSidesLV 2018, I’ll go into detail about the overall lack of information security in the financial/tax industry, more specifically, how CPA and tax preparation firms are leaving your data exposed. During a recent security assessment of a CPA firm, I discovered an information disclosure vulnerability in one of the top five most-used tax preparation software in the world. My talk at BSidesLV will describe the findings and how an attacker could obtain thousands of Social Security Numbers in a matter of seconds. For many years, small CPA firms justified their lack of information security controls because they were too small to be a target. “Why would I be a target with 10 CPAs and 5,000 customers when EY has millions of customers?” is a common theme among smaller tax preparation firms. However, small firms may be more of a target with limited resources, unencrypted storage, outdated software, and a lack of a cybersecurity program. From my years of experience providing cybersecurity consulting services in the financial sector, the minimal effort it takes to compromise small CPA firms make them prime targets. Once compromised, an attacker may fraudulently file your tax returns to get a big refund check, steal your identity, or open credit in your name. If a CPA or tax preparer has filed taxes on your behalf in the last 10 years, you won’t want to miss this talk. Your name, spouse’s name, home address, phone number, email address, business name, and Social Security Number may be exposed by your CPA without them ever knowing. Hopefully this talk will inform the public about a zero-day vulnerability in a major tax preparation software, push vendors globally to put more emphasis on protecting tax payer data, and make progress to better cybersecurity by educating consumers. Like what the author has to say or want more training? In addition to upcoming talks & training at conferences throughout 2018, Michael Wylie will be providing an all-day workshop at BSidesLV titled: Deep Dive into NMAP & Network Scanning. More information can be found at https://corporateblue.com/blog.
About the Author: Michael Wylie, MBA, CISSP is the co-founder of Corporate Blue, a Cybersecurity consulting firm that serves clients in their pursuit of mitigating cyber threats. In his role, Michael is responsible for delivering information assurance by means of vulnerability assessments, risk management, incident response, penetration testing, cloud security, and training. Michael has developed and taught numerous courses for the Department of Defense, Universities, ISSA, ISACA, and clients internationally. Michael holds the following certifications: VMware VCP-DCV, Cisco CCNA Routing/Switching & CyberOps, Security+, Project+, Pentest+, CEH, CEI, Splunk User, CHPA, Dell Security, CISSP, and more. Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.
