Hidden dangers? Tax software companies must take measures to protect against the leaking of customer data

Every year, like clockwork, tax season arrives, and as Benjamin Franklin proclaimed, “In this world, nothing can be said to be certain, except death and taxes.” This undeniable fact has driven the growth of tax software companies to offload what can often be an intimidating and time-intensive exercise for most households.

Using software means faster preparation time, fewer errors, reduced chance of an audit, and refunds being issued in a shorter timeframe (averaging 21 days from the filing date).

The fiscal year of 2023

In the fiscal year of 2023, the IRS (Internal Revenue Service) processed more than 162 million federal individual tax returns and supplemental documents. American taxpayers spend 1.7 billion hours and $31 billion on tax preparation, with the average person spending 13 hours and $270 to file, per year. 

A survey commissioned by The College Investor to 1,200 Americans discovered that 46% of Americans use tax software to file their taxes, 27% use a full in-person service, and 16% still use pen and paper. It was also determined that the majority of those using software used TurboTax 51% of the time, H&R Block 14% of the time, with several other software vendors in the 4%-5% range.

The biggest reason users selected the software they decided to go with…ease of use.

Taxes and customer data

While tax preparation software has become an indispensable tool for convenience and efficiency, this convenience has also come with inherent risks, particularly concerning safeguarding Personally Identifiable Information (PII).

Credit cards are used to pay for the software each year or for auto-renewals, home addresses are used for payments and to set up accounts, and social security numbers are required for identity verification.

The problem is that the PII being entered to purchase the software and file the tax return is also being secretly monitored and collected by third-party vendor tags, putting both the user and tax preparation software business at risk. 

Popular tax software tools and risks 

The tax software tools that stand out for consumers and businesses include Intuit's TurboTax, H&R Block, Jackson Hewitt, and TaxAct as among the leading platforms relied upon by millions during tax season.

They are practical tools that save users time and money but their widespread use and popularity also make them prime targets for data leakage and malicious actors seeking to exploit them.

Here are a few areas that need to be actively addressed when  attempting to mitigate consumer data leakage, data privacy issues, malicious threats, and non-compliance with PCI:

1. Software Purchases & Digital Skimming

Tax software companies routinely handle transactions, that require the collection and storage of users' credit card information.

When purchasing software online through a tax preparation software vendor’s website the common practice is to use a credit or debit card for either a one-time purchase or annual subscription. 

Digital skimming has grown over the years as a common online threat actor practice to collect and exfiltrate credit card information for malicious purposes.

2. PCI DSS Compliance

Companies, like tax preparation software vendors, that transact and store credit card information also need to comply with PCI DSS v4. 

The two new payment page security requirements 6.4.3 and 11.6.1 require organizations to justify and validate that scripts have a business purpose, scripts maintain their integrity, and personnel are alerted when scripts change.

3. Personal Information & Data Leakage

Tax software platforms often require users to input sensitive personal details such as filing status, social security numbers, and addresses.

Unauthorized access to such information can have severe consequences, ranging from identity theft to financial fraud. Any third-party tag present on the website or software has unfettered access to this information with the ability to collect and pull back to the vendor site.

4. Seasonal Account Creation and High Traffic Volume

Creating an account on tax software platforms can inadvertently expose users to data breaches, as a wealth of personal and financial information is stored within user profiles.

As tax season builds so do website traffic and software updates that include third-party script updates that become unmanageable for security and development experts to handle manually.

Client-side security risks

Each of these tax preparation software use cases has significantly increased the risk to the consumer as well as the business given the collection of this data occurs uncontrolled on the client side of the transaction.

As users input data into open-field forms, they do so blindly and completely unaware of third-party vendors also collecting this sensitive information.

Quite often, the vendors collecting this information could be analytics, performance, marketing, or payment service JavaScript tags.

While others could be digital skimming attacks injecting JavaScript to maliciously monitor, collect, and monetize consumer information.

The urgent need for enhanced security measures

What can be done to avoid these malicious or inadvertent data breaches?

Tax software companies must fortify their defenses against potential breaches and cyber attacks. In 2023, a US Senate report showed that some of the country’s largest tax-prep companies have spent years sharing Americans’ sensitive financial data with tech corporations such as Meta and Google in a potential violation of federal law.

In addition to typical personal details like names, phone numbers, and email addresses, the shared information encompassed specific taxpayer data regarding individuals' filing status, adjusted gross income, the extent of their tax refunds, and even insights into the buttons and text fields they interacted with during their tax form submissions.

The report highlights the pressing need for tax software companies to prioritize security enhancements, leveraging cutting-edge solutions and best practices to fortify their platforms against emerging threats.

Comprehensive  control with expertise that instills customer trust

Still, like many other merchants in different industries, tax companies need to collect and store sensitive customer data to operate their business efficiently.

The question ultimately lies in how can tax preparation software vendors effectively protect customer data while also enabling their businesses to operate and innovate.
 

When researching security vendors to support these requirements every tax preparation software vendor should be evaluating a client-side protection solution based on the following criteria:

1. Comprehensive Platform

First-Party JavaScript Obfuscation

The platform should facilitate the implementation of standardized, state-of-the-art code obfuscation for all internally developed JavaScript throughout the product life cycle, spanning from development to runtime. 

Fine-Grained Third-Party Tag Control

The platform should offer consistent, fine-grained visibility and control over the behavior and data consumption of all third-party tags’ JavaScript across the entire business.

2. Best of Breed & Quality

The ideal client-side protection and compliance platform should be entirely dedicated to client-side security and compliance. It should provide a comprehensive solution to protect businesses from emerging client-side risks and mitigate security threats, data leakage, IP theft, and compliance breaches.

This includes a solution that focuses on controlling credit card data on the payment page but also access to personal information often input including name, address, filing status, and social security numbers. 
 

3. Top Notch Tax Season Performance

The platform must have the capability to scale and support the largest and most demanding websites without causing any slowdown or disruption to the online user experience. 

Given tax preparation software is impacted based on seasonal increases in web traffic it's imperative the solution selected can scale up or down based on performance needs. 

4. Sweeping Client-Side Security & Compliance Policies 

A key feature of the ideal solution ought to be its ability to support the formulation by all involved teams (e-comm, product management, software development, fraud mitigation, security, digital, marketing as well as governance, risk, and compliance) of a centralized security policy encompassing all client-side related risks and regulatory compliance requirements including PCI DSS.

5. Client-Side Expertise

The chosen vendor should provide full customer support at every step.

Clients can get help choosing the right first-party JavaScript obfuscation techniques for their needs. For third-party tags, skilled consultants are available to guide them in setting up the best risk mitigation strategies, including suitable data fencing tactics. And if desired a fully managed service should be offered.

A vendor with the right level of expertise will enable business operations while instilling customer trust.

By adopting a proactive stance towards security, companies can fortify their defenses against evolving cyber threats and ensure a safer, more secure, and trusted tax filing experience.