PAT GREENHOUSE/GLOBE STAFF
A data mix-up on a state tax portal inadvertently made private data from about 16,500 business taxpayers viewable to other companies, potentially even competitors.
The breach lasted from Aug. 7, 2017, through Jan. 23, 2018, and allowed some companies to view other business’s names, federal employer identification numbers, tax payments, and other data, according to the Massachusetts Department of Revenue.
No individual employee information, such as Social Security numbers or wage data, was accessible to unauthorized people as a result, the agency said Tuesday.
In total, there were fewer than 150 instances in which a company could have peeked at another’s data, officials in the administration of Governor Charlie Baker said.
A total of 128 files were viewed by 145 unique businesses clients, but it’s possible those numbers include some companies looking at their own tax data, the officials said.
The saga began when the agency made a technical change aimed at allowing tax agents to better help businesses with questions about withholding. The shift allowed those agents to view bulk file data — the information submitted by payroll vendors— sent through the portal, MassTaxConnect.
But the Department of Revenue made a mistake somewhere along the way. Thirty-eight payroll companies were using the portal. And any one of their clients could have looked at data from any other of their clients. Companies would not have been able to see the information from a business that used a different payroll company.
The agency says it fixed the issue in January within 24 hours of finding out about it. But it did not send out a letter notifying the 38 payroll companies of the issue until Friday.
The reason for that delay was unclear.
The Globe became aware of the issue after being forwarded an e-mail sent to a client by Gusto, a payroll, benefits and human resources company.
The changes the agency made to the tax portal, the e-mail said, “erroneously permitted business taxpayers to view files containing company names, federal employer identification numbers (FEINs), and tax payment amounts for companies like yours. As a result, people outside your company could see your company data.”
A spokeswoman for Gusto confirmed the authenticity of the e-mail and underscored that the trouble originated with the agency, rather than with Gusto or any other payroll vendor.
Nathalie Dailida, a spokeswoman for the state Department of Revenue, said the agency “recently identified a technical issue related to bulk filer information within the MassTaxConnect system, and quickly determined that individual employee data was not made viewable. DOR has taken steps to correct this technical issue and will continue to take all precautions necessary to ensure reporting data is securely managed throughout this tax season.”
The agency’s leader is relatively new. Christopher C. Harding became commissioner of the Department of Revenue in August. He was previously the agency’s chief of staff and, before that, was an entrepreneur in the private sector.
Baker, a Republican, is running for reelection this year. During his tenure, he has trumpeted efforts to make state government more effective and efficient.
Massachusetts income taxes are due for most on April 17.
Clarification: An earlier version of this story used ADP as an example of the type of payroll vendor affected by a data breach at the Massachusetts Department of Revenue. ADP was not affected by that breach.
Kendall Square may be unique in the world for its combination of innovative companies and academic prowess. And developers are using that location as a model as they try to replicate its success elsewhere in the Boston area.Continue reading »
I clearly remember when AARP, the warm, smiling face of the trillion-dollar senior-industrial complex, made a marketing miscalculation that soured me on the group for good.Continue reading »
The St. Patrick’s Day parade is marching into a new era with a spring in its steps thanks to a financial boost from Amazon, the e-commerce king.Continue reading »
Siobhan Dullea will take the reins of the organization from founder John Harthorne.Continue reading »
A former high school all-star, Alex Chu was recruited for lacrosse at Wheaton College. But now he can’t join his team on the field because they can’t find a helmet large enough for him.Continue reading »
The little-known company, a comparison shopping site for auto insurance, looks almost nothing like a hot consumer technology firm.Continue reading »
Patrick Wardell will step down in June but continue leading the investigation into the death of Laura Levis, who had an asthma attack outside CHA’s hospital in Somerville.Continue reading »
The Gerstner Center will focus on developing a blood biopsy that would monitor a patient’s response to chemotherapy, radiation, or immunotherapy with molecular precision.Continue reading »
Patrick Moscaritolo played a pivotal part in expanding Boston’s image beyond Paul Revere and “Cheers,” making it a place where people from around the world come to visit.Continue reading »