The Vermont Department of Taxes may have been exposing taxpayer data that could be used in credential scams for more than three years due to a vulnerability in its online tax filing system.
A notice (PDF) posted on the department’s website warned taxpayers who filed a Property Transfer Tax return through the department’s online filing site between Feb. 1, 2017, and July 2, 2020, may have had their personal information leaked.
The department said it discovered the vulnerability—which could allow a threat actor to use a person’s credentials to access tax info–on July 2. The flaw was in the verification process of its online filing system for these particular type of returns, according to the notice. Property Transfer Tax returns are filed when someone acquires a property or transfers ownership of one.
“Verification credentials for electronically filed property transfer tax returns available in public municipal records could be used to access previously submitted tax return information,” the department said in the notice. “The credentials could have been used to access private information including the social security number of the buyer of the property, and last four digits of the social security number of the seller of the property.”
The department “immediately” disabled the vulnerable functionality and patched the flaw so that information in the municipal records cannot be used to search for previously submitted Property Tax Transfer returns, according to the notice.
The state said it has no way to determine if someone’s individual data was accessed. However, at this time the department has not received any reports of unauthorized access to property transfer tax returns and believes chances are “low” that it occurred.
Taxpayer data—which typically includes people’s Social Security numbers–has historically been a valuable commodity for threat actors particularly because of the doors it can open to giving them unauthorized access to people’s financial accounts.
One of the most recent examples of how it can be used came during the early days of the Covid-19 outbreak in the United States, when threat actors were seen on hacker forums buying and selling taxpayer data to use it to steal various U.S. government pandemic appropriations as well as 2020 tax refunds.
Despite their belief that no data was leaked, the Vermont tax department is encouraging anyone who filed property tax returns during the time frame affected to take the situation seriously. The agency advised people to take steps outlined in a list of tips to guard against identity theft that are posted online with the advisory.
Those tips include reviewing bank, credit card and debit card account statements over the next 12 to 24 months and immediately reporting any suspicious activity to the appropriate bank or credit union. The department also advised monitoring credit reports with the major credit reporting agencies and provided contact info for Equifax, Experian and TransUnion.
The department also provided contact information so taypayers can report any suspicious activity related to their data or to discuss any concerns they might have with the Vermont tax agency.
Complimentary Threatpost Webinar: Want to learn more about Confidential Computing and how it can supercharge your cloud security? This webinar “Cloud Security Audit: A Confidential Computing Roundtable” brings top cloud-security experts together to explore how Confidential Computing is a game changer for securing dynamic cloud data and preventing IP exposure. Join us Wednesday Aug. 12 at 2pm ET for this FREE live webinar.