A vulnerability in the state’s system may have exposed personal data that can be used for credential theft for those who filed Property Transfer Tax returns online.
The Vermont Department of Taxes may have been exposing taxpayer data that could be used in credential scams for more than three years due to a vulnerability in its online tax filing system.
A notice posted on the department’s website warned taxpayers who filed a Property Transfer Tax return through the department’s online filing site between Feb. 1, 2017, and July 2, 2020, may have had their personal information leaked.
The department said it discovered the vulnerability—which could allow a threat actor to use a person’s credentials to access tax info–on July 2. The flaw was in the verification process of its online filing system for these particular type of returns, according to the notice. Property Transfer Tax returns are filed when someone acquires a property or transfers ownership of one.
“Verification credentials for electronically filed property transfer tax returns available in public municipal records could be used to access previously submitted tax return information,” the department said in the notice. “The credentials could have been used to access private information including the social security number of the buyer of the property, and last four digits of the social security number of the seller of the property.”
The department “immediately” disabled the vulnerable functionality and patched the flaw so that information in the municipal records cannot be used to search for previously submitted Property Tax Transfer returns, according to the notice.
The state said it has no way to determine if someone’s individual data was accessed. However, at this time the department has not received any reports of unauthorized access to property transfer tax returns and believes chances are “low” that it occurred.
Full article on https://threatpost.com/vermont-taxpayers-warned-of-data-leak-over-the-past-three-years/157856/
#databreach #taxpayer #vermont #security #privacy #yokdata