Turbo Tax reports data breach, suspends online filings
WALL STREET JOURNAL --The nation’s biggest online tax-software company halted electronic filing of all state returns amid reports from states of criminal attempts to obtain refunds through its systems.
Intuit said its TurboTax unit took action Thursday after seeing attempts to use stolen personal information to file fraudulent returns for tax refunds.
The tax-software company said that after a preliminary examination with Palantir Technologies, which provides security and antifraud services, it believes there wasn’t a breach of Intuit systems and that “the information used to file fraudulent returns was obtained from other sources outside the tax preparation process.” It said the examination is continuing.
Utah tax authorities said in a statement that “the fraudulent filings originate from data compromised through a third-party commercial tax preparation software process.” The potentially fraudulent returns were all filed through TurboTax, said Charlie Roberts, a spokesman for the Utah State Tax Commission.
“We don’t know if the fraudster got the information directly from TurboTax, from the cloud, from the cloud provider, or some other means. We just know that our systems weren’t compromised,” Mr. Roberts said.
The Utah spokesman also said that the recent incidents are “more than normal identity theft where someone steals a Social Security number and makes up information.” A key difference: “Fraudsters obtained information that’s generally only found on income-tax returns.” In some cases, the fraudulent 2014 returns closely resemble 2013 returns, with only minor alterations—implying that the scammer had access to the taxpayers’ 2013 returns.
Any such “account takeovers” weren’t the result of a data breach at Intuit, company spokeswoman Julie Miller said. “Perhaps someone got a name and guessed a password,” she said.
On Thursday more than 100 tax officials from dozens of states participated in a conference call organized by the Federation of Tax Administrators to discuss the unfolding situation, according to a spokesman for the group.
Then, on Friday, TurboTax hosted a conference call with state tax officials, at which the company said it was identifying returns that it believes are fraudulent and those that aren’t. This process for distinguishing between them is proprietary, but fraud indicators could include several refunds wired to one bank account or the filing of a state return without a federal return, said Intuit spokeswoman Ms. Miller.
The tax-software company said customers who believe they are victims of tax fraud can call a dedicated toll-free number, 800-944-8596. It also said it will provide identity-protection services and free credit monitoring, as well as tax-filing help at no charge for affected customers.
“We’ve identified specific patterns of behavior where fraud is more likely to occur,” said Brad Smith, Intuit’s president and chief executive, in the company’s release. “We’re working with the states to share that information and remedy the situation quickly.”
Intuit is the biggest player in tax-preparation software. Last year TurboTax products were used to prepare 29 million returns, while H&R Block and TaxAct, which is a unit of Blucora, each assisted with about seven million self-prepared returns.
There’s no estimate of how many state tax returns have already been filed using TurboTax this year, but last year TurboTax e-filed 21 million state tax returns.
H&R Block has no indication of similar problems with its state tax filings, company spokesman Gene King said Friday. “H&R Block continues to file state and federal returns as usual,” he said.
The Block spokesman also said his company’s anti-fraud controls include requiring an e-filed federal return to have been accepted by the U.S. prior to transmitting a state e-filed return. With TurboTax, by contrast, it is possible to e-file a state return without e-filing a federal return, Intuit confirms.
A TaxAct spokeswoman said that company is not seeing similar fraud issues and that customers can file state and federal returns as usual.
For Turbo-Tax customers who have filed their state tax returns using the service—but whose returns haven’t yet been transmitted to state authorities—Intuit said it will transmit those returns as soon as possible. Customers don’t need to take further action at this time, the company said.
Intuit also said that the action doesn’t affect the e-filing of federal income tax returns.
Tax fraud related to identity theft is an issue at the federal as well as the state level. The Internal Revenue Service estimated that it paid $5.2 billion in fraudulent ID-theft-related refunds in the 2013 filing season, while blocking attempts at another $24.2 billion in such refunds, according to an August 2014 report by the U.S. Government Accountability Office. Such fraud “is a persistent, evolving threat to honest taxpayers and tax administration,” the GAO said.
One possibility is that fraud artists who obtain stolen personal data are finding it easier to obtain fraudulent refunds from states rather than the IRS. At the federal level, a second use of a Social Security number could send up red flag for fraud, noted Block spokesman Mr. King. By contrast, “a single Social Security number could be filed at multiple state agencies without any knowledge that this was being used fraudulently across multiple states,” he said.
Utah, Alabama, Minnesota and Georgia issued press releases Thursday expressing concern that fraudulent returns are being e-filed this year. According to the press release from Utah, 19 states have identified potential fraud issues.
Minnesota announced it has stopped accepting tax returns submitted by individuals using TurboTax, although it is still accepting returns filed using Intuit professional-preparer products.
Alabama tax officials say they have identified up to 16,000 returns suspected of being fraudulent.
No other providers have yet been identified as a source of fraudulent state e-filed returns.
Intuit this year angered some longtime users of its software by quietly making changes to the products that would have required some customers to upgrade to more expensive versions to file 2014 tax returns. Late last month, the company said it would reverse the changes next year—while also shielding customers from, or compensating them for, additional costs incurred this year.
The company’s shares fell 4.2% in Friday trading.