funsec mailing list archives
Re: [Full-disclosure] H&R Block Tax Service sends mail with SSN on thelabel.
From: "J.A. Terranson" <measl () mfn org>
Date: Sun, 1 Jan 2006 12:39:58 -0600 (CST)
Gotta love H&R Bleak: they'll; do your taxes right - away.... On Sun, 1 Jan 2006, Exibar wrote:
Date: Sun, 1 Jan 2006 13:20:29 -0500 From: Exibar <exibar () thelair com> To: Troy Solo <solo () dok org>, full-disclosure () lists grok org uk Cc: funsec () linuxbox org Subject: Re: [Full-disclosure] H&R Block Tax Service sends mail with SSN on thelabel. "limited to you alone..." sure, all it takes is for one person to figure out how many digits into this source code that te SSN begins, and there you go. Not exactly rocket science there... Exibar ----- Original Message ----- From: "Troy Solo" <solo () dok org> To: <full-disclosure () lists grok org uk> Cc: <funsec () linuxbox org> Sent: Sunday, January 01, 2006 12:55 PM Subject: [Full-disclosure] H&R Block Tax Service sends mail with SSN on thelabel.My wife received this snail mail letter yesterday: "Recently we mailed you a free copy of our TaxCut software. We believe that this complimentary software will meet your 2006 tax preparation needs, based on our prior experience with you as an H&R Block client. We hope that you will try TaxCut and find it to be a great solution for filing your next tax return. However, since we sent you this CD, we have become aware of a mail production situation that has affected a small percentage of recipients, including you. Due to human error in developing the mailing list, the digits of your social security number (SSN) were used as part of your mailing label's source code, a string of more than 40 numbers and characters. Fortunately, these digits were embedded in the middle of the string, and they were not formatted in any manner that would identify them as an SSN. Nevertheless, we sincerely apologize for this inadvertent error, which is completely inconsistent with out strict policies to protect out clients' privacy. Our internal policies limit the use of client SSNs for purposes other than tax preparation. Furthermore, our internal procedures require that mailing source codes are formulated in a manner that excludes use of any sensitive or confidential information. Please know that we have conducted a thorough internal review of this matter, and are taking actions to ensure this does not re-occur. Again, please understand that the digits of your SSN were embedded in the middle of a lengthy source code, and they were not formatted in a manner that identifies them as an SSN. As a result, we believe that exposure of your SSN digits was limited to you alone, since you are the only person who would recognize their significance. Nonetheless, we suggest that you destroy the wrapper and mailing label of the free TaxCut CD we sent you. If you would like more information about this incident, please visit www.taxcut.com/answers, a special Website that contains additional details and an e-mail link for contacting us with your questions. On behalf of more than 100,000 associates of H&R Block, allow me to apologize for this unfortunate situation. Through 50 tax seasons, H&R Block has earned a reputation as a valued, trustworthy ally to our clients, and we sincerely hope that you will find the free TaxCut CD and our information packed taxcut.com Website to be helpful tools for the 2006 tax filing season. Sincerely, Tom Allanson Senior Vice President & General Manager H&R Block Digital Tax Solutions 4400 Main Street Kansas City, MO 64111 www.taxcut.com" --------------------------------- The part about "the exposure of the SSN was limited to you alone because you are the only person who would recognize your number" kills me. -- /* /* Troy Solo /* <solo () dok org> /* Si Hoc Legere Scis Nimium Eruditionis Habes /* _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
-- Yours, J.A. Terranson sysadmin () mfn org 0xBD4A95BF 'The right of self defence is the first law of nature: in most governments it has been the study of rulers to confine this right within the narrowest limits possible. Wherever standing armies are kept up, and the right of the people to keep and bear arms is, under any colour or pretext whatsoever, prohibited, liberty, if not already annihilated, is on the brink of destruction.' St. George Tucker _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Current thread:
- H&R Block Tax Service sends mail with SSN on the label. Troy Solo (Jan 01)
- Re: [Full-disclosure] H&R Block Tax Service sends mail with SSN on thelabel. Exibar (Jan 01)
- Re: [Full-disclosure] H&R Block Tax Service sends mail with SSN on thelabel. J.A. Terranson (Jan 01)
- Re: [Full-disclosure] H&R Block Tax Service sends mail with SSN on thelabel. Exibar (Jan 01)