Breach exposes H&R Block customers' tax records (2024)

H&R Block's online tax filing service exposed some customers' sensitive financial records to other customers last weekend, prompting the company to shut down the system yesterday afternoon, CNET has learned.

The company's Web-based tax preparation service, which is the premier sponsor of Yahoo's Tax Center, experienced a technical glitch that accidentally switched some tax filers' records, H&R Block confirmed today. As a result, when some registered users signed on to the service to work on their tax returns, they instead received someone else's filing--including a social security number, home address, annual income and other highly sensitive information.

"What we discovered was that some of our clients' data was appearing in other clients' data files," said Linda McDougall, vice president of communications for H&R Block. "We're keeping it down until we're convinced that the problem has been corrected."

McDougall emphasized that the problem only affected the Web-based preparation and filing of returns. Taxes processed with H&R Block's preparation software or at one of the company's offices were not exposed, she said.

The software glitch revealed the confidential records of at least 50 people, although the full extent of the problem will not be known until the company completes an internal audit, McDougall said. She added that at least 10 customers have contacted the company about the problem.

"Once we determined this, we took our system offline immediately and we began an audit of our entire customer database," McDougall said.

"We're confident that it wasn't due to a hacker--we feel that it was a software problem within our system," she added. "No return has been filed to the Internal Revenue Service that contains inaccurate data."

This is the second time in two weeks that H&R Block's $9.95 "Do-it-yourself" Net filing service--which more than 300,000 people have used so far this year--has suffered a technical problem and had to be shut down. H&R Block expects to handle more than 650,000 returns via the Net this year.

Other Web sites also have had security concerns in recent months. For example, RealNames, a company that substitutes complicated Web addresses with simple keywords, warned its users last week that its customer database had been hacked, and that user credit card numbers and passwords may have been accessed.

The H&R Block privacy breach was no doubt startling to some users who chose the 40-year-old company over other online services, such as Intuit's TurboTax software. User anxiety was intensified because it occurred on the weekend, making it difficult to locate an H&R Block employee who could address the problem.

Joshua Kasteler of the San Francisco Bay area said he was tackling his EZ 1040 on Sunday when the H&R Block system started to act sluggish. Kasteler logged off, and when he signed on to the password-protected site an hour later, he was given access to the records of another H&R Block customer.

"Instead of my information, it was a gentleman from Texas who worked for Advanced Micro Devices," Kasteler said, noting that the forms also listed the other person's phone number, address, social security number and annual income. "I assumed that someone else has my information, too, because this guy's information fell into my lap. I had this guy's life."

Kasteler said he emailed and called H&R Block but still had not heard back from the firm as of late today. So he decided to call the man whose information he had accessed: James Keech, a maintenance technician who also had trouble with the H&R Block site and had been unable to process his return since Thursday.

"When (Kasteler) called, I was freaking," Keech said. "I was like, 'If he's got it, how many other people have my file and aren't being honest and letting me know.' "

Keech said he called H&R Block and was told that there had been a security problem. He has asked that his data be deleted from the system.

"I'll probably go to a regular tax filing office now," he said. "It would have been easier to fill it out on paper."

The 1040 EZ is a simplified IRS form that does not include information such as itemized deductions, capital gains or rental income.

H&R Block's privacy policy states that "information contained in your tax return will be treated with extreme care and confidence...we will never disclose any tax return information without your consent." Like many Web sites, however, the policy doesn't address information that is accidentally disclosed without permission.

With the growth of the Net, consumer advocates have been pushing for umbrella data-protection laws to safeguard U.S. computer users, who may be giving up more information in the digital age that makes them vulnerable to fraud and privacy breaches.

The Clinton administration and Congress, however, have been reluctant to pass new privacy laws that impose stricter penalties for firms that don't secure the data they collect. Instead, the U.S. government has favored industry-developed guidelines.

Breach exposes H&R Block customers' tax records (2024)


What is the H&R Block scandal? ›

H&R Block used deceptive marketing and unfairly deleted tax filer data, FTC complaint alleges. The Federal Trade Commission has filed an administrative complaint against H&R Block, alleging the company deceptively marketed free filing products and wrongfully deleted users' tax data.

Did H&R Block have a data breach? ›

Yes. H&R Block has been named as a defendant in multiple class action lawsuits related to sharing confidential tax data. In addition to H&R Block, the other class actions also name TaxAct and TaxSlayer as defendants.

How did H&R Block deceive customers? ›

According to an administrative complaint that will be available soon on the FTC website, H&R Block has used an extensive TV and online campaign to deceptively market its services as “free” – as in “nada. . . zip. . . zilch” – when the services weren't free for most filers.

Does H&R Block share information? ›

We do not sell or rent your information (including your social security number). We may disclose your information as permitted by law or with your consent to other H&R Block The privacy and security of your information is important to us.


Top Articles
Latest Posts
Article information

Author: Amb. Frankie Simonis

Last Updated:

Views: 6168

Rating: 4.6 / 5 (76 voted)

Reviews: 91% of readers found this page helpful

Author information

Name: Amb. Frankie Simonis

Birthday: 1998-02-19

Address: 64841 Delmar Isle, North Wiley, OR 74073

Phone: +17844167847676

Job: Forward IT Agent

Hobby: LARPing, Kitesurfing, Sewing, Digital arts, Sand art, Gardening, Dance

Introduction: My name is Amb. Frankie Simonis, I am a hilarious, enchanting, energetic, cooperative, innocent, cute, joyous person who loves writing and wants to share my knowledge and understanding with you.