An online tax advice service run by former Inland Revenue officials
has been forced to make security improvements after it emerged that
customers could view and download other people's tax returns.
Tax returns containing highly sensitive information, including
names and addresses, phone numbers, national insurance numbers and
details of salaries and tax bills, were left accessible by a
programming error on the Web site run by Taxchecker, which offers
an online tax return service.
Had the information fallen into the wrong hands, it could have
provided criminals with enough data to impersonate a person or to
commit crimes using a false identity, security experts
warned.
Taxchecker's problems came to light when IT security specialist
Russell Macdonald signed up to the site's online tax service last
month. He was alarmed to discover that he could view his tax return
without having to type in his confidential user name and password
by simply bookmarking the relevant page in his Web browser.
Further investigation revealed that it was possible to view other
people's tax returns by changing the customer code number on the
Web site address.
"We found you could look at employment records, see where people
work and how much they earn. If you go to the calculations page, it
will actually tell you their earnings for the year and how much tax
is due. You know their date of birth and their national insurance
number. That is very personal information," said Macdonald.
Lawyers said the error could have put Taxchecker in breach of the
Data Protection Act, which requires personal data to be held
securely.
"If it was that easy to get access to other people's data then the
company has not been complying with its obligations under the Data
Protection Act," said Mark Turner, IT specialist and partner at law
firm Herbert Smith.
Taxchecker, owned by ASP, was able to fix the problem within 45
minutes, after being alerted by Computer Weekly. Managing director
Paul Harmsworth said he was "horrified" at the time.
In a later interview, Harmsworth said that although the error could
have been serious, only a small number of tax returns were on the
system at the time. He denied breaching the Data Protection Act and
said he had taken all reasonable steps to secure the data.
Harmsworth went on to accuse Macdonald of hacking into the Web site
and said that his firm was considering criminal proceedings against
him. "He has quite deliberately contravened the terms and
conditions of the Web site and may have hacked into other people's
records." Harmsworth also threatened Computer Weekly with legal
action.
Harmsworth said that, as well as being user name- and
password-protected, the site uses 128-bit encryption and Taxchecker
hosts its own "totally ringfenced" SQL servers, with sensitive
customer data housed on a separate server kept behind a firewall
and not accessible via the World Wide Web.