Pakistani researcher, Kamran Mohsin, recently discovered a massive data breach in the United States Florida Department of Revenue’s Business Tax Registration Application where critical data of over 700,000 users was exposed.
The researcher informed the tax agency about the issue and was later approached for a proof of concept report, which he shared with them.
According to Mohsin’s findings, the breach exposed confidential details such as Social Security numbers, physical addresses, VISA details, and bank account details, among other sensitive data used for filing tax paperwork with the US government.
Mohsin was able to confirm over 713,000 user accounts/applications with the Florida Department of Revenue. The leak occurred as a result of a critical insecure direct object reference (IDOR) vulnerability that allowed an unauthorized party to view, change, and even delete business owners’ personal information.
The Florida Department of Revenue confirmed receiving Mohsin’s report about a vulnerability in the Department’s Business Tax Registration Application. The Department verified the vulnerability and immediately disabled external access to the application.
Within 24 hours, the Department corrected the vulnerability in the registration application, and two external data security companies verified that the application is now secure.
Following confirmation from the revenue department, the breach story was widely covered by several top online newspapers in the United States. Due to the revenue agency’s promptness in dealing with the issue, none of the affected taxpayers reported any signs of information exploitation.
Pakistan’s Federal Board of Revenue (FBR) could solve most of its data-related issues if it starts responding to public complaints with similar urgency.
According to the FBR’s latest report on Pakistan Raises Revenue Project (PRRP), in recent years, the regulator has undergone a major menace of data theft due to constant cyber attack attempts by hackers, facing approximately an average of 71,000 cyber-attacks per month. Reports highlight that the threat landscape is evolving at a faster pace than the organizations trying to protect themselves.
For starters, the hiring of competent staff to provide oversight management, data protection, and backup ICT facilitation plan in case of system failure or cyber-attack, especially to facilitate consignments clearance or income tax return filing, is one way to go about it.
