Completed Tax Forms Inadvertently Posted Online

Monday, April 11, 2011



Stephen Chapman published an article in which he describes how easy it was to use search engines to locate tax forms and other sensitive information inadvertently posted online.

The documents contain enough personally identifiable information to put the posters at serious risk of identity theft. Even more concerning, some of the information pertains to children, making them susceptible to having their identities stolen as well.

"As of 4/10/2011, I have discovered in excess of 50 tax documents containing any given combination of Social Security numbers, credit card information, names, addresses, tax IDs, and phone numbers being made available online. However, unlike recent leaks of email addresses and password hashes being made available due to hackers compromising systems, these documents are being unknowingly made freely available to prying eyes by the very owners of said information," Chapman writes.

In the majority of the instances where Chapman found sensitive documents that were indexed and searchable, the owners of the information did not realize that by placing the information on family and/or business websites, they were making the information publicly accessible.

Chapman also found instances where educational institutions had made the data available online, amounting to an inexcusable breach of trust in the handling of sensitive financial information.

Once the documents were available on the web, it was only a matter of time before they were indexed, making them easily located using search engine queries.

Chapman recommends the following remediation if you suspect your data has been posted and indexed online:

1 - DO NOT STORE PRIVATE INFORMATION ONLINE! That’s about as cut-and-dry as it gets.

2 - If you must store private information online, then enable authentication which requires you to log in prior to being able to see and download the contents of a directory. Additionally, password-protect your files and change or encrypt file names so that they cannot show up in searches related to their file names or provide intrigue for potential intruders (i.e. if someone is digging around for tax information on your site and they see a file called “Tax-Information-2011.ppsx”, then they’re most certainly going to be sure to check out that file).

3 - If you find your information has been indexed in a search engine, remove your file(s) immediately from your Web site, then contact the search engine to have both the indexed and cached results removed. Don’t just remove the file(s) from your site, because someone could still view a search engine-cached version of the file(s).

4 - To see if your information has been compromised, check any and all logs from your Web site dating back to the day you placed the file on your site. If you see download activity on your file(s) from an IP address you do not recognize, then there’s a good chance your personal information has been compromised. Acceptance will undoubtedly be difficult, but it’s necessary to move forward with preventing further damage.

5 - If you suspect you have become a victim of identity theft, it may behoove you to obtain a credit report, sign up for credit monitoring, and reach out to your local FBI branch to report any findings you may have with regards to your personal information being stolen and utilized.


Possibly Related Articles:
Identity Theft Privacy Social Security Numbers Headlines Personally Identifiable Information Search Engine Online Tax Return
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.