Yikes! Data breach at Mass. tax agency allowed companies to peek in on competitors’ data
A data mix-up on a state tax portal inadvertently made private data from about 16,500 business taxpayers viewable to other companies, potentially even competitors.
The breach lasted from Aug. 7, 2017, through Jan. 23, 2018, and allowed some companies to view other business’s names, federal employer identification numbers, tax payments, and other data, according to the Massachusetts Department of Revenue.
No individual employee information, such as Social Security numbers or wage data, was accessible to unauthorized people as a result, the agency said Tuesday.
In total, there were fewer than 150 instances in which a company could have peeked at another’s data, officials in the administration of Governor Charlie Baker said.
A total of 128 files were viewed by 145 unique businesses clients, but it’s possible those numbers include some companies looking at their own tax data, the officials said.
The saga began when the agency made a technical change aimed at allowing tax agents to better help businesses with questions about withholding. The shift allowed those agents to view bulk file data — the information submitted by payroll vendors— sent through the portal, MassTaxConnect.
But the Department of Revenue made a mistake somewhere along the way. Thirty-eight payroll companies were using the portal. And any one of their clients could have looked at data from any other of their clients. Companies would not have been able to see the information from a business that used a different payroll company.
The agency says it fixed the issue in January within 24 hours of finding out about it. But it did not send out a letter notifying the 38 payroll companies of the issue until Friday.
The reason for that delay was unclear.
The Globe became aware of the issue after being forwarded an e-mail sent to a client by Gusto, a payroll, benefits and human resources company.
The changes the agency made to the tax portal, the e-mail said, “erroneously permitted business taxpayers to view files containing company names, federal employer identification numbers (FEINs), and tax payment amounts for companies like yours. As a result, people outside your company could see your company data.”
A spokeswoman for Gusto confirmed the authenticity of the e-mail and underscored that the trouble originated with the agency, rather than with Gusto or any other payroll vendor.
Nathalie Dailida, a spokeswoman for the state Department of Revenue, said the agency “recently identified a technical issue related to bulk filer information within the MassTaxConnect system, and quickly determined that individual employee data was not made viewable. DOR has taken steps to correct this technical issue and will continue to take all precautions necessary to ensure reporting data is securely managed throughout this tax season.”
The agency’s leader is relatively new. Christopher C. Harding became commissioner of the Department of Revenue in August. He was previously the agency’s chief of staff and, before that, was an entrepreneur in the private sector.
Baker, a Republican, is running for reelection this year. During his tenure, he has trumpeted efforts to make state government more effective and efficient.
Massachusetts income taxes are due for most on April 17.
Clarification: An earlier version of this story used ADP as an example of the type of payroll vendor affected by a data breach at the Massachusetts Department of Revenue. ADP was not affected by that breach.