PAT GREENHOUSE/GLOBE STAFF
A data mix-up on a state tax portal inadvertently made private data from about 16,500 business taxpayers viewable to other companies, potentially even competitors.
The breach lasted from Aug. 7, 2017, through Jan. 23, 2018, and allowed some companies to view other business’s names, federal employer identification numbers, tax payments, and other data, according to the Massachusetts Department of Revenue.
No individual employee information, such as Social Security numbers or wage data, was accessible to unauthorized people as a result, the agency said Tuesday.
In total, there were fewer than 150 instances in which a company could have peeked at another’s data, officials in the administration of Governor Charlie Baker said.
A total of 128 files were viewed by 145 unique businesses clients, but it’s possible those numbers include some companies looking at their own tax data, the officials said.
The saga began when the agency made a technical change aimed at allowing tax agents to better help businesses with questions about withholding. The shift allowed those agents to view bulk file data — the information submitted by payroll vendors— sent through the portal, MassTaxConnect.
But the Department of Revenue made a mistake somewhere along the way. Thirty-eight payroll companies were using the portal. And any one of their clients could have looked at data from any other of their clients. Companies would not have been able to see the information from a business that used a different payroll company.
The agency says it fixed the issue in January within 24 hours of finding out about it. But it did not send out a letter notifying the 38 payroll companies of the issue until Friday.
The reason for that delay was unclear.
The Globe became aware of the issue after being forwarded an e-mail sent to a client by Gusto, a payroll, benefits and human resources company.
The changes the agency made to the tax portal, the e-mail said, “erroneously permitted business taxpayers to view files containing company names, federal employer identification numbers (FEINs), and tax payment amounts for companies like yours. As a result, people outside your company could see your company data.”
A spokeswoman for Gusto confirmed the authenticity of the e-mail and underscored that the trouble originated with the agency, rather than with Gusto or any other payroll vendor.
Nathalie Dailida, a spokeswoman for the state Department of Revenue, said the agency “recently identified a technical issue related to bulk filer information within the MassTaxConnect system, and quickly determined that individual employee data was not made viewable. DOR has taken steps to correct this technical issue and will continue to take all precautions necessary to ensure reporting data is securely managed throughout this tax season.”
The agency’s leader is relatively new. Christopher C. Harding became commissioner of the Department of Revenue in August. He was previously the agency’s chief of staff and, before that, was an entrepreneur in the private sector.
Baker, a Republican, is running for reelection this year. During his tenure, he has trumpeted efforts to make state government more effective and efficient.
Massachusetts income taxes are due for most on April 17.
Clarification: An earlier version of this story used ADP as an example of the type of payroll vendor affected by a data breach at the Massachusetts Department of Revenue. ADP was not affected by that breach.
Being an also-ran might be what’s best for the region, but housing and transportation issues remain.Continue reading »
The toll that the opioid epidemic is taking on the Massachusetts economy now has a cost in dollars.Continue reading »
General Electric Co. surged as Chief Executive Officer Larry Culp accelerated plans to pare the company’s stake in Baker Hughes with a deal that would raise almost $4 billion at current prices.Continue reading »
Reed Kandalaft’s career in the hotel industry has taken him to a number of sunny, warm-weather locales. Think Florida or Hawaii.Continue reading »
The cost of the complicated Back Bay project has been pegged at about $350 million.Continue reading »
The company, which has so far exclusively sold to property developers, said Tuesday that it is launching its first consumer product.Continue reading »
The proposed complex would be built in a stretch of the South End that has seen a flood of big development in recent years.Continue reading »
The number of delayed flights into and out of Logan airport increased substantially in the past week after one of the main runways was shut.Continue reading »
Circulation uses Uber to transport patients to non-emergency medical appointments.Continue reading »