A security flaw on the Florida Department of Revenue website exposed at least hundreds of taxpayers’ Social Security numbers and bank account numbers, a security researcher found.

Mohsin said that application numbers are sequential, allowing anyone to enumerate taxpayers’ information by incrementing the application number by a single digit. Mohsin said there were more than 713,000 applications in the system, which the department did not dispute when reached for comment.

Mohsin provided TechCrunch with screenshots of the website flaw, which included samples of names, home and business addresses, bank account and routing numbers, Social Security numbers and other unique tax identifiers used for filing paperwork with the state and federal government.

Mohsin contacted the Florida Department of Revenue on October 27 and was provided an email address to report the vulnerability. He did, and the flaw was fixed soon after, but he said he has not heard back from the department since.

When reached for comment, the Florida Department of Revenue told TechCrunch that the flaw was fixed within four days of Mohsin’s report and that two security companies, which the department did not name, say the website is now secure.

“The vulnerability allowed the external individual to view registration data submitted by taxpayers, including 417 registrations that contained confidential information,” said spokesperson Bethany Wester in an email. “Within a two-day timeframe, the Department attempted to contact each affected business by phone and had contacted all affected taxpayers by phone or in writing within four days. The Department has also offered one year of complimentary credit monitoring to each affected taxpayer.”

When asked, the department said that it has identified “no sign of exploitation prior to this breach,” but did not say if it had the technical means, such as logs, to determine if there was evidence of prior exploitation or data exfiltration.

Read more on TechCrunch:

Florida state tax website bug exposed filers’ data by Zack Whittaker originally published on TechCrunch

source