Next Score View the next score

    Baker administration changes timeline on tax data breach

    Governor Baker’s team has changed its tax data breach information three times.
    Keith Bedford/Globe file
    Governor Baker’s team has changed its tax data breach information three times.

    Facing mounting questions over a serious breach of private taxpayer information, the Baker administration acknowledged Thursday that it had been alerted to the data snafu months before it fixed the problem.

    The disclosure, the third key piece of information about the breach Governor Charlie Baker’s team has flip-flopped on, raises new questions about the bug that made private information from about 39,000 business taxpayers visible to other companies, potentially including competitors.

    Earlier, the administration had also expanded the number of businesses it said were affected by the breach, and said a Social Security number may have been exposed, after originally stating no such data had been visible to anyone who should not have had access to it.


    The data troubles, which the Department of Revenue has said lasted from early August through Jan. 23, allowed some companies to view other business’s names, tax identification numbers, amount and date of tax payments, number of employees, and banking information about their payroll processor.

    Get Fast Forward in your inbox:
    Forget yesterday's news. Get what you need today in this early-morning email.
    Thank you for signing up! Sign up for more newsletters here

    Last week, a Baker administration official said, “Once DOR was made aware of the issue, DOR reversed this change in less than 24 hours.” And on Wednesday night, agency spokeswoman Nathalie Dailida said “DOR was made aware of the issue on January 23rd and reversed the change within five hours.”

    But after the Globe showed the tax-collecting agency a message a taxpayer sent to the agency in early November flagging the problem, the officials changed course, saying they had missed that heads up — as well as another one sent in early January.

    “The Department of Revenue considers the security of sensitive information to be the cornerstone of their mission to support taxpayers and finds this human error oversight entirely unacceptable,” Commissioner of Revenue Christopher C. Harding said in a statement Thursday night.

    “The department’s human resources division has initiated an internal investigation and will take appropriate action based on its findings. Additionally, the department will initiate a comprehensive review of taxpayer communications to ensure all messages have been promptly addressed,” said Harding, who was appointed to his job by Baker last summer.


    Last week, the administration said the breach had made private information from about 16,500 business taxpayers viewable by other companies. But after the Globe inquired about whether the Department of Revenue had underreported the scope of the breach, the agency said that the number of taxpayers affected was more than double its initial statement.

    And last week it said, as a result of the breach, no individual employee data, such as Social Security numbers, were viewable to those who shouldn’t have seen them. But on Wednesday, the administration acknowledged one person’s Social Security number had been visible to those who should not have had access to it.

    After the Globe published a story on the breach Wednesday night, an information technology professional who lives in Somerville wrote to the paper saying he had flagged for the agency something strange he had spotted in the MassTaxConnect tax portal last year — but no one ever responded to him.

    In his message, dated Nov. 7, 2017, and confirmed by the Globe as authentic, he told the agency that a file attached to his last payment “appears to include the withholding ID, business name, and tax payment amount for over 2,400 businesses, presumably all from the payroll service company. Is that supposed to be there? It doesn’t seem like that information should be public.”

    Late Thursday, revenue officials said a second message flagging the issue was sent on Jan. 2, 2018, and also went unaddressed.


    The breach began when the agency made a technical change aimed at allowing its tax agents to help businesses with questions about withholding. That shift allowed those agents to view bulk file data — the information submitted by payroll vendors — sent through the portal, MassTaxConnect.

    But something went wrong along the way.

    Of the 244 payroll companies that Dailida said used the troubled portal, 38 payroll companies — and their approximately 39,000 business taxpayer clients — were affected by the bug.

    That allowed a client of one of the affected payroll companies to peek into another client’s private tax information. But companies would not have been able to see the data from a business that used a different payroll company, Dailida said.

    She said the agency’s forensic review found that 128 files were viewed by 145 unique business clients, but those numbers include some companies looking at their own tax data. Of those files, Dailida said, seven contained banking information with 14 bank accounts associated with payroll processors.

    As for the Social Security number, Dailida said that as part of the forensic review the agency conducted, it cross-checked data that could have been inadvertently exposed.

    In doing so, she said, the department determined that a business owner was using his or her Social Security number as his or her federal Employer Identification Number, “which does not conform with IRS instructions.”

    Still, that revelation has now triggered a disclosure mandated by state law.

    Baker, a Republican, who has billed himself as a leader who makes state government more efficient and effective, is up for reelection in November.

    On Thursday, a spokeswoman for Baker, Lizzy Guyton, repeated the governor’s support for the commissioner, saying that Baker has full faith in Harding as leader of the agency.

    Joshua Miller can be reached at