Identity Theft is on the cards again for users of Intuit TurboTax as the company has suffered a significant data breach – One of many in the last few years. The company notified customers of the breach, in which hackers stole personal and financial information following a series of account takeovers. In a breach notification letter sent to affected customers earlier this month, the company said that this was not a “systemic data breach of Intuit.” In account takeover attacks, cybercriminals gain access to their victims’ accounts using credentials stolen from other online services following past data breaches.
This type of attack works incredibly well against targets who use the same login credentials for multiple sites or services. “We have more than 100 million customers and see billions of transactions per year with ATO notifications going to less than .0003% of customers and some of those confirmed by the customer after the fact as their activity (not an ATO),” Rick Heineman, Intuit Corporate Communications Vice President, said in a statement to BleepingComputer.
TurboTax is a software package for the preparation of American income tax returns, produced by Intuit. TurboTax is a market leader in its product segment, competing with H&R Block Tax Software and TaxAct. TurboTax was developed by Michael A. Chipman of Chipsoft in 1984 and was sold to Intuit in 1993.
Intuit discovered the breach during a security review, in which they found an undisclosed number of TurboTax accounts were breached and customer info was exposed. This has lead to a fear of identity theft.
“By accessing your account, the unauthorized party may have obtained information contained in a prior year’s tax return or your current tax return in progress, such as your name, Social Security number, address(es), date of birth, driver’s license number and financial information (e.g., salary and deductions), and information of other individuals contained in the tax return,” Intuit explained.
“We deeply regret that this incident may affect you. Intuit has taken various measures to help ensure that the accounts of affected customers are protected. We are notifying you so you can take steps to help protect your information,” the company added.
After discovering the attacks, Intuit temporarily disabled the breached TurboTax accounts. Users who had their accounts deactivated must contact Intuit’s Customer Care department at 1-800-944-8596 and say “Security” when prompted.
This is not the first time a TurboTax breach has sparked identity theft concerns.
TurboTax customers were previously targeted in at least three other series of account takeover attacks in 2014/2015 and again in 2019.
Just as after the previous three incidents, Intuit provides one year of free identity protection, credit monitoring, and Experian IdentityWorks identity restoration services to impacted customers.
The Dangers of Identity Theft
Identity Theft can be absolutely devastating for an individual. Usually, in the world of malware, we know certain things can be harmed. Our devices may need to be replaced, we may lose access to accounts for a few days or even forever, we may even need to pay a ransom for access to our data. The point is, with most types of Malware, we can eventually rebuild, though it may take longer than we anticipate. The fallout from identity theft is much longer.
Once your stolen information is used once, it can take anywhere from a few days to six months for that one incident. But your information is out there for a very, very long time. This means you could end up dealing with identity theft for many years, even decades.
Identity Theft has been around for a very long time and predates our modern technology by thousands of years. There have always been individuals that try to impersonate others for their own gain, financial or otherwise. However, the internet’s birth and wide adoption have led to new attack vectors, dwarfing any possible past attempts.
Now more than ever do we have data tied into our personal identity. Email addresses, banking numbers, phone numbers, social security numbers, home addresses – All of these and more form a picture of us as lines in a database.
And when this information falls into the wrong hands, it can do a lot of damage. Bank accounts can be drained, and your credit rating can get rattled; you can end up with medical bills or even a criminal record. The list of potential mishaps that can arise from identity theft is endless.
To hackers, identity theft represents a lucrative stream of income, and they can very easily cover their tracks. After they have seized personal information, they sell it on the dark web. This information can be sold over time, repeatedly, meaning that if you notice your identity has been stolen and used, it can be used in several instances over a long period of years.
There are some guidelines from the US government in discovering if you are a victim of identity theft if it is not immediately obvious:
- You stop receiving your regular bills and credit card statements.
- You receive statements for accounts you never opened.
- Debt collectors start calling you day and night about debts you’ve never heard of.
- The IRS alleges you failed to report income for a company you never worked for.
- You see withdrawals/charges on your bank or credit card statement that you didn’t make.
- You try to file your taxes only to discover that someone else beat you to it.
- You try to file your taxes and find someone claimed your child as a dependent already.
- Your credit report includes lines of credit you never opened.
- Your credit score fluctuates wildly and for no apparent reason.
- The most obvious sign—you receive a notification that you’ve been the victim of a data breach.
- If you are unsure, it is always best to check with the authorities on the US government’s identity theft website.
Protection
In some cases, a victim cannot be faulted for identity theft. For example, those affected by the data breach handed their information over to companies in good faith in the story above. Unfortunately, these companies, or more specifically the vendor, failed in protecting this information. However, many other times, business owners and families are singled out and targeted in their offices and homes.
For times like these, it is critical that you have the right tools to protect yourself. One of these tools is SaferNet.
SaferNet is the perfect solution to the cybersecurity issues that individuals, families, and businesses face today. It not only connects every device using a secure, 24/7 always on, military grade VPN, but it also stops outside cyberthreats, malware and viruses as well. On SaferNet, all users are protected anywhere in the world, all the time, on any cellular or Wi-Fi network. In addition to SaferNet’s VPN and cyber protection, it also offers a range of employee or parental/family internet controls including internet filtering, monitoring, scheduling, and blocking access to websites or even entire website categories
Typically, a business or family would need 3 separate services for a VPN, Malware Protection, and Internet Controls; SaferNet offers all 3 features in one service. SaferNet truly is an endpoint security presence that can be implemented in minutes around the world, on phones, laptops, tablets, and computers at an economical price point that caters to all sizes of businesses and families. SaferNet guarantees a smooth setup and installation process that takes only minutes, and an easily accessible control hub for you to monitor all your employee’s or family members devices; including activity, time spent online, and threats blocked.