Need Assistance? Call us at (512) 814-8044, or submit a ticket

Beware The Ides of April: Web Indexing and Tax Data

Tax season is in high gear and with it comes the need to be extra vigilant on how tax records are handled. After all, your tax records “has everything” that can be considered as Personally Identifiable Information (PII). PII refers to information that can be used to uniquely identify, contact, or locate a single person or can be used with other sources to uniquely identify a single individual.

Stephen Chapman over at ZDNet observed that as of 4/10/2011, there were over 50 tax documents containing any given combination of Social Security numbers, credit card information, names, addresses, tax IDs, and phone numbers being made available online.

What makes this form of data leakage different from the rash of email addresses and password hacks we’ve been inundated with of late is that these documents are being unknowingly made freely available to prying eyes by the very owners of said information.

Why is this happening? The key word is “unknowingly”. Most people have personal web sites and mistakenly think that storing their personal documents on their personal or family web site is “backup”. Which will be fine except that these documents are dumped on these web sites unencrypted and without a simple password protection.

Web sites get indexed by search engines like Google, Yahoo!, Bing etc. When most people file their taxes, the tax preparation software usually allows a completed return to be stored as a PDF file for viewing without having to open the program, or the documents get scanned if they used a tax service. These files are then uploaded to the web site where they get indexed and eventually end up in the public domain.

But it is not just personal web sites that are culpable. There are educational web sites with these types of documents residing on them. Let us not forget that some users probably installed peer-to-peer software on their computers without paying attention to which documents would be shared. It may also be possible that an application a user installed turned their computer into a web server without their knowledge.

Here’s an example:

“What you see there is one page from a 1040 form containing 5 names, 5 Social Security numbers, one address, and total yearly income. This whole family — husband, wife, and three children — is potentially at stake for identity theft, and that is if it hasn’t already happened since this particular document has resided on their Web site for quite a while (as noted by the date shown for when the file was uploaded to their site)”.

The overall effect of all this is that it makes the owners of exposed documents vulnerable to having their identity potentially stolen, but more critical, because of the risk of exposing PII of the children used by these individuals for obtaining tax credits. As Stephen notes, “That takes identity theft into a completely different atmosphere since a child having their identity stolen most likely will not find out until years down the road long after the damage has been done and the perpetrator has vanished. The potential consequences of such ignorance are far-reaching.”

So what you do you do?

Here are some suggestions:

  • Do not store unencrypted sensitive personal data online! That’s about as cut-and-dry as it gets.
  • If you must store private information online, then enable authentication which requires you to log in prior to being able to see and download the contents of a directory. Additionally, password-protect your files and change or encrypt file names so that they cannot show up in searches related to their file names or provide intrigue for potential intruders (i.e. if someone is digging around for tax information on your site and they see a file called “Tax-Information-2011.ppsx”, then they’re most certainly going to be sure to check out that file).
  • If you find your information has been indexed in a search engine, remove your file(s) immediately from your Web site, then contact the search engine to have both the indexed and cached results removed. Don’t just remove the file(s) from your site, because someone could still view a search engine-cached version of the file(s).
  • To see if your information has been compromised, check any and all logs from your Web site dating back to the day you placed the file on your site. If you see download activity on your file(s) from an IP address you do not recognize, then there’s a good chance your personal information has been compromised. Acceptance will undoubtedly be difficult, but it’s necessary to move forward with preventing further damage.
  • If you suspect you have become a victim of identity theft, it may behoove you to obtain a credit report, sign up for credit monitoring, and reach out to your local FBI branch to report any findings you may have with regards to your personal information being stolen and utilized.
  • If you have P2P software installed, verify the shared directory and make sure you are not sharing your entire hard drive!

I am a big fan of encryption wherever possible. A simple free tool is Axcrypt from Axantum. Some of the features of Axcrypt are:

  • AES encryption with 128-bit keys.
  • Edit an encrypted document directly with double-click.
  • Optional pass phrase cache – type pass phrases once per logon and/or reboot.
  • Automatic pass phrase validation before decryption or editing.
  • Key-File generation and support.
  • It is free!

This tool, once installed integrates with Windows Explorer and you can right-click a file and encrypt it with a simple passphrase, password or even a key file that the software will generate for you.

I want to stress, as Stephen did, that this is entirely informational and is aimed at creating awareness. Do not ask me for the methods used or the URLS.

Share
Close Menu
Share
Share