Shostack + Friends Blog Archive


H&R Block, Unknown # of SSNs, Mailing Labels

Stories like this one make me scratch my head and wonder, what is a breach? What should this category cover? Why do I blog these things? Why are we here? Why are you here? And what are those clowns doing over there?

However, since we sent you this CD, we have become aware of a mail
production situation that has affected a small percentage of recipients,
including you. Due to human error in developing the mailing list, the
digits of your social security number (SSN) were used as part of your
mailing label’s source code, a string of more than 40 numbers and
characters. Fortunately, these digits were embedded in the middle of
the string, and they were not formatted in any manner that would
identify them as an SSN.

Well, that makes me feel a little better than if they were just used as raw data. But I’d really like to see a label, to see if its hard to decipher, or is it simply yournameyourzipyourssn?

Nevertheless, we sincerely apologize for this inadvertent error, which
is completely inconsistent with out strict policies to protect out
clients’ privacy. Our internal policies limit the use of client SSNs
for purposes other than tax preparation. Furthermore, our internal
procedures require that mailing source codes are formulated in a manner
that excludes use of any sensitive or confidential information. Please
know that we have conducted a thorough internal review of this matter,
and are taking actions to ensure this does not re-occur.

That doesn’t make me feel better. Did you fire the person who broke your policies, and put your customers at risk? If not, what message are you sending?

(Clown photo from Daenieworld on Flickr, H&R Block story from funsec, via Larry Seltzer.)

2 comments on "H&R Block, Unknown # of SSNs, Mailing Labels"

  • Saar Drimer says:

    “Nevertheless, we sincerely apologize for this inadvertent error, which is completely inconsistent with out strict policies to protect out clients’ privacy.”

  • kathy says:

    I was sure not happy about the situation with the ssn on our mailing label, as last year someone used my husband’s name and dob in an arrest situation, and it was not an easy situation to straighten out, the only thing that saved us was that the person did not know the ssn, and the picture match of my husband and the person who was incarcerated. But, bare in mind, it took a lot of time and aggravation to clear this situation. I only wonder now what type of risk we are at with the ssn on the label. It is not hidden at all, it simply has a few numbers above your name, then it has HRB123456789_2004………very clear what it is, I am not a happy camper and have been terrified with the fact that someone may now have this most important information. What really steamed me was the letter they sent making light of such a life destroying situation if it would happen to get into the wrong hands. Thanks for sharing your info…Restless over this situation

Comments are closed.