The nation’s 3rd largest submitter of self-prepared income tax returns reports that data thieves stole customers’ financial information. The interesting part of this story is that the company, TaxAct, says the thieves stole the username and password data elsewhere (for example, hacking individual cell phones) and then used those legitimate log in credentials to gain access to the individual’s TaxAct data account to steal personal financial information. There is no evidence that the tax preparer’s servers were hacked, according to coverage in today’s Wall Street Journal.
This story reinforces the security theme that adviser like me have been dispensing all along: the much larger security risks we face on a daily basis are in our physical devices, not online “cloud” servers.
In simplest terms: we should not be worried about data breaches in online services nearly as much as the risks of using our phones, tablets and home PCs to access those services.
I recommend proper use of a password management system like LastPass, including: 1) distinct usernames and passwords for each online service, 2) randomly generated passwords and 3) periodic scan and removal of any username and password from a personal computing device. These three steps would likely have prevented the type of data breaches reported by TaxAct.