Millions of TurboTax users will be troubled by a lawsuit that was filed Monday in San Francisco against Intuit, Inc. claiming that when the firm knew TurboTax’s lax software security protections were allowing a huge spike in tax refund theft, TurboTax failed to correct weaknesses or notify customers about ongoing risks.
As more people have been filing their taxes electronically online using software tools like TurboTax, tax fraud has ballooned. The number of suspected cases of electronic tax fraud jumped from 500,000 in 2010 to almost two million in 2013, according to Internal Revenue Service data cited in the filing. The IRS disclosed preventing an estimated $24.2 billion in fraudulent refunds in 2013, but paid $5.8 billion in fraudulent refunds.
The complaint, filed in federal court in the Northern District of California, claims: “Rather than protecting customers’ personal and financial information by implementing stricter security measures, TurboTax has instead knowingly facilitated identity theft tax refund fraud by allowing cybercriminals easy access to its customers’ most private information.”
Plaintiffs allege that TurboTax’s parent company did not take adequate steps to stop criminals from using TurboTax to steal customers’ personal information to file false returns and collect cash from efile next-day direct-deposit refunds. Once the security risk and fraudulent activity was known by Intuit, the company allegedly failed to notify victims after their personal information was used to file fraudulent tax returns.
Despite Intuit’s website promise that “all TurboTax platforms offer a secure, easy-to-use experience,” lawyers allege that Intuit waited years to implement a “very basic” two-step authentication system that has been used by email and social media companies to protect against access to customer accounts by hackers. Despite knowledge of criminal attacks on their website, Intuit allegedly failed to make the change until the FBI began investigating widespread fraud in February.
Just after the Wall Street Journal reported the FBI probe, the highly-respected KrebsOnSecurity blog published an exclusive interview with Indu Kodukula, Intuit’s Chief Information Security Officer. Kodukula explained that customer password re-use was a major cause of a spike during the 2014 tax season of fraudulent state tax refund requests. He acknowledged that Intuit was aware of the increase in phony state refund requests, but claimed “the majority of refund scams the company has to deal with stem from “stolen identity refund fraud” or SIRF”, due to thieves gathering pieces of data about taxpayers through phishing attacks or underground identity theft.
But KrebsOnSecurity also spoke to Robert Lee, a former security business partner at Intuit’s consumer tax group until 2014, who said the company made millions of dollars knowingly processing state and federal tax refunds filed by cybercriminals. Despite his team developing sophisticated fraud models to help Intuit quickly identify and close accounts being used by crooks to commit massive amounts of SIRF fraud, Intuit repeatedly refused to adopt some basic security policies that could have made it more costly and complicated for crooks to re-use the same Social Security number in many TurboTax accounts and tax returns.
“If I sign up for an account and file tax refund requests on 100 people who are not me, it’s obviously fraud,” Lee told KrebsOnSecurity. “We found literally millions of accounts that were 100 percent used only for fraud. But management explicitly forbade us from either flagging the accounts as fraudulent, or turning off those accounts.”
A February post on the TurboTax blog called the accusations by former employees “unfounded” and “without merit.” TurboTax added, “We recognize that some employees who work in information security would like us to do more to prevent fraud,” the post says, “and we are committed to doing so as fast as we can to combat the constantly evolving and increasingly sophisticated methods of cybercriminals.”
The plaintiffs’ lawyers are McCuneWright in Redlands; Lieff, Cabraser, Heimann & Bernstein in San Francisco; and Morgan & Morgan in Florida. They intend to bootstrap the lawsuit into a two nationwide class actions against TurboTax , according to the Recorder. One suit will represent “customers who had personal data stolen” and the other will represent “non-customers who were victims of fraudulent returns filed in their name through TurboTax.” The class actions will accuse Intuit of aiding and abetting fraud, breach of contract and violating California’s Unfair Competition Law and Consumer Records Act.