Infosecurity Group Websites
Latest
News

Tax Relief Biz Exposed Personal Info on 100,000 Clients

A UK business specializing in tax relief for its clients has exposed the personal details of over 100,000 of them via a misconfigured content management system (CMS).

Researchers at Website Planet told Infosecurity exclusively about the privacy snafu, which they discovered on October 13 and notified the firm about the next day.

That company was Marriage Tax Refund, a Wolverhampton-based organization whose business model is to recover marriage tax allowance funds for UK clients.

According to the research team, the firm had misconfigured its WordPress CMS, leaving a directory listing of PDF documents available for public view, with no password protection.

This meant anyone could theoretically have viewed personally identifiable information (PII) on Marriage Tax Refund clients, including: applicants’ full names, gender and home address, plus their partners’ full names and gender, and the refund amount they could request.

Website Planet estimated that in excess of 100,000 clients who signed up to the scheme since the company’s founding in October 2016 could have had their PII exposed in this way.

“A combination of full name, address and marital status are sufficient for nefarious users to conduct identity theft and fraud. Furthermore, personal user details could be used to conduct fraud across other platforms without the victim becoming aware that such activity is occurring,” the researchers warned.

“Therefore, Marriage Tax Refund’s leak could potentially be used to deploy deeper and more damaging scams by sending customized information directly to their target’s addresses, possibly disguised as communication from Marriage Tax Refund, or, disguised as HMRC but referencing the customer’s business with Marriage Tax Refund and thereby gaining the intended target’s trust.”

After notifying both the UK CERT and privacy regulator the Information Commissioner’s Office (ICO), Website Planet finally saw that the misconfiguration had been fixed by the firm on November 6 this year.

Related to This Story

What’s Hot on Infosecurity Magazine?

1
News

One Million US Dental Patients Impacted by Data Breach

2
News

Leaky Elasticsearch Server Reveals Massive Instagram Click Farm

3
News

Vade Secure Appoints Ex-Israeli Military Staff Sergeant Maya Gershon as CRO

4
News

Hackers Raid European Agency for Pfizer Vaccine Docs

5
News

How 2020 Has Changed the Data Privacy Landscape

6
News

Researchers Uncover New Cyber-Espionage Campaign Targeting Middle Eastern Politicians

1
News

CISOs Preparing for DNS Attacks Over Christmas

2
News

City of London Police Appoints Assistant Commissioner with Responsibility for Cybercrime

3
Magazine Feature

Out & Proud: Being LGBTQ+ in Cybersecurity

4
News

Claroty Appoints New VPs to Lead Engineering and Product Strategies

5
News

Privacy Groups Alarmed at Supermarket’s Facial Recognition Trial

6
News

NCSC Opens Registration for 2021 CyberFirst Girls Competition

1
Webinar

Risk-Based Security for Your Organization: What You Need to Know

2
Webinar

Enabling Secure Access: Anywhere, Any Device and Any Application

3
Webinar

Managing Security and Risk in a Microsoft 365 Environment

4
Webinar

Putting People First: Overcoming Human Error in Email Security

5
Webinar

How to Secure the Most Vital Data Channel in Your Organization: File Transfers

6
Webinar

The Remote Workplace: Managing the New Threat Landscape with ISO 27001

1
News Feature

#IFAW2020: Fighting Back Against Rising Fraud During #COVID19

2
Blog

Solving the Global Cybersecurity Skills Gap in Two Simple Steps

3
Interview

#IFAW2020 Interview: David Britton, VP of Industry Solutions, Experian

4
Webinar

How to Mitigate Insider Threats in the Current Technology Landscape

5
Opinion

#HowTo Master Cybersecurity Training with a Third Party

6
Interview

Interview: Richard Betts and Eward Driehuis, Cybersprint