In 2023, the Federal Trade Commission (FTC) issued a cautionary notice to several leading tax preparation firms, indicating that they might face civil penalties should they misuse confidential consumer data for purposes unrelated to taxation. This warning underscored the crucial importance of safeguarding sensitive information within the tax preparation sector.
As the tax landscape evolves, current concerns are now shifting towards the integrity of the software used by these tax prep companies. According to Gartner, a concerning 45% of organizations globally may have faced software supply chain attacks this year alone. Such breaches, if they occur, could have catastrophic implications for tax preparation businesses and their clientele, extending risks that exceed the traditional tax-filing season.
The tax software ecosystem encapsulates highly sensitive information, inclusive of financial records, personal identifiers like marital status and dependents, and even health-related data—all of which are prime targets for cybercriminals. These adversaries can exploit such data to commit identity theft, fraud, and various financial crimes, including targeted phishing schemes and extortion efforts. One prevalent method attackers employ is exploiting vulnerabilities in the software used by tax preparation firms.
Much of the tax preparation software currently in use incorporates open-source components, which can harbor numerous security vulnerabilities. Alarmingly, around 95% of all discovered security weaknesses are attributed to these open-source libraries, with roughly half lacking known remedies. Furthermore, nearly 75% of open-source components suffer from inadequate maintenance, exposing users to additional risks.
During the peak of tax season, the intense demand on development teams can hinder timely updates and governance of software supply chains, creating openings for cyber threats to penetrate. Moreover, the recent reduction in IRS staffing may exacerbate security challenges, potentially allowing for delayed updates, diminished oversight, and increased vulnerability to cyber attacks.
Nevertheless, proactive measures can fortify tax preparation software against such threats throughout the year. A fundamental step is for developers and security teams to gain a thorough understanding of their software compositions, particularly through comprehensive software bills of materials (SBOMs). These documents provide visibility into the myriad of open-source and third-party components that make up the software, ensuring that all dependencies adhere to compliance standards and do not introduce risk.
Tax preparation firms must also ensure they maintain organized and secured SBOMs, enabling swift access when needed for compliance verification or due diligence against third-party vendors. The security of third-party partnerships must similarly be evaluated rigorously, as these relationships often involve sharing sensitive data via various service providers, from e-filing systems to fraud prevention mechanisms.
Lastly, it is crucial that tax companies maintain an active posture toward vulnerability management. Identifying threats is only part of the solution; swift remediation actions must be undertaken, especially in cases involving open-source code where patches may not be readily available. Employing tools that help prioritize vulnerabilities and recommend fixes will be invaluable in addressing these risks effectively.
As tax companies navigate an increasingly complex cybersecurity landscape, they must implement robust measures such as multi-factor authentication, regular software updates, encryption standards, and comprehensive security training for users. While these protocols lay the groundwork for security, they are ineffective without a solid and secure software supply chain. By prioritizing the maintenance of SBOMs and ensuring robust oversight of third-party software, tax preparation firms can significantly mitigate the risk of data breaches throughout the year.
