The Vermont Department of Taxes had a flaw in its system for three years that could have compromised the Social Security numbers of people who filed a property tax transfer return online — but the department says it doesn’t know if any such breach occurred.
From February 2017 until July 1 of this year, individuals who filed a property tax transfer return through the Tax Department’s online filing system were vulnerable due to information included in public land records that could have been used to access other forms with personal information, including Social Security numbers.
About 71,000 people filed the form online during the three-year window, but Tax Commissioner Craig Bolio said the department does not know if anyone’s data was actually breached.
The department issued a notice to taxpayers who filed returns during the window on Wednesday urging them to take precautionary measures.
Bolio said the department was made aware of the vulnerability by a Vermont real estate attorney on the evening of July 2 and shut down the system. The security flaw has since been patched, he said.
Bolio said he thinks the risk of “widespread unauthorized access is pretty low,” but he urged people who filed their returns through the online system to be vigilant.
“We don’t have the logs to determine with certainty whether somebody’s information was actually accessed or not,” he said. “We want to be open, we want to encourage taxpayers who are in the population who filed a property transfer tax return electronically in that time frame to take proper precautions that’ll protect themselves.”
Unlike normal tax returns, a portion of property tax transfer returns become public land records, and are sent to the town clerk of the municipality where the property was purchased. During the three-year window, the public land records included an email address and a verification identification number that could have been used to log into the Tax Department’s site and access other forms related to that transaction that included Social Security numbers.
“It’s not as if you could walk into a municipal office and get private tax data,” Bolio said. “Somebody would have to get those verification credentials, understand how they could be used, and then they would be able to go access that information from that tax return.”
Matthew Borick, a litigator and data security advisor with the law firm Downs Rachlin Martin, said people who filed during the three-year period should keep track of bank statements and review credit reports to be extra vigilant.
“It just means that for people who did file these returns in the time period, it behooves them just to keep their eyes open a little more, which we all should be doing anyway,” Borick said.
Bolio said that the Tax Department undergoes intermittent security audits conducted by the Internal Revenue Service and is expecting one next year, barring any delays due to the coronavirus. The department also hires third party contractors to conduct “penetration testing,” he said, which seek to find vulnerabilities in online filing. One is expected this fall.
“Security needs to be an important part of any testing moving forward, and we’re having discussions with the Agency of Digital Services about what other process changes we could make in our testing process to make sure that something like this doesn’t happen,” Bolio said.
Read the story on VTDigger here: Tax Department warns of possible data breach .