Web site errors let users view others' tax returns

An online tax advice service run by former Inland Revenue officials has been forced to make security improvements after it...

An online tax advice service run by former Inland Revenue officials has been forced to make security improvements after it emerged that customers could view and download other people's tax returns.

Tax returns containing highly sensitive information, including names and addresses, phone numbers, national insurance numbers and details of salaries and tax bills, were left accessible by a programming error on the Web site run by Taxchecker, which offers an online tax return service.

Had the information fallen into the wrong hands, it could have provided criminals with enough data to impersonate a person or to commit crimes using a false identity, security experts warned.

Taxchecker's problems came to light when IT security specialist Russell Macdonald signed up to the site's online tax service last month. He was alarmed to discover that he could view his tax return without having to type in his confidential user name and password by simply bookmarking the relevant page in his Web browser.

Further investigation revealed that it was possible to view other people's tax returns by changing the customer code number on the Web site address.

"We found you could look at employment records, see where people work and how much they earn. If you go to the calculations page, it will actually tell you their earnings for the year and how much tax is due. You know their date of birth and their national insurance number. That is very personal information," said Macdonald.

Lawyers said the error could have put Taxchecker in breach of the Data Protection Act, which requires personal data to be held securely.

"If it was that easy to get access to other people's data then the company has not been complying with its obligations under the Data Protection Act," said Mark Turner, IT specialist and partner at law firm Herbert Smith.

Taxchecker, owned by ASP, was able to fix the problem within 45 minutes, after being alerted by Computer Weekly. Managing director Paul Harmsworth said he was "horrified" at the time.

In a later interview, Harmsworth said that although the error could have been serious, only a small number of tax returns were on the system at the time. He denied breaching the Data Protection Act and said he had taken all reasonable steps to secure the data.

Harmsworth went on to accuse Macdonald of hacking into the Web site and said that his firm was considering criminal proceedings against him. "He has quite deliberately contravened the terms and conditions of the Web site and may have hacked into other people's records." Harmsworth also threatened Computer Weekly with legal action.

Harmsworth said that, as well as being user name- and password-protected, the site uses 128-bit encryption and Taxchecker hosts its own "totally ringfenced" SQL servers, with sensitive customer data housed on a separate server kept behind a firewall and not accessible via the World Wide Web.

Read more on IT risk management