A UK business specializing in tax relief for its clients has exposed the personal details of over 100,000 of them via a misconfigured content management system (CMS).
Researchers at Website Planet told Infosecurity exclusively about the privacy snafu, which they discovered on October 13 and notified the firm about the next day.
That company was Marriage Tax Refund, a Wolverhampton-based organization whose business model is to recover marriage tax allowance funds for UK clients.
According to the research team, the firm had misconfigured its WordPress CMS, leaving a directory listing of PDF documents available for public view, with no password protection.
This meant anyone could theoretically have viewed personally identifiable information (PII) on Marriage Tax Refund clients, including: applicants’ full names, gender and home address, plus their partners’ full names and gender, and the refund amount they could request.
Website Planet estimated that in excess of 100,000 clients who signed up to the scheme since the company’s founding in October 2016 could have had their PII exposed in this way.
“A combination of full name, address and marital status are sufficient for nefarious users to conduct identity theft and fraud. Furthermore, personal user details could be used to conduct fraud across other platforms without the victim becoming aware that such activity is occurring,” the researchers warned.
“Therefore, Marriage Tax Refund’s leak could potentially be used to deploy deeper and more damaging scams by sending customized information directly to their target’s addresses, possibly disguised as communication from Marriage Tax Refund, or, disguised as HMRC but referencing the customer’s business with Marriage Tax Refund and thereby gaining the intended target’s trust.”
After notifying both the UK CERT and privacy regulator the Information Commissioner’s Office (ICO), Website Planet finally saw that the misconfiguration had been fixed by the firm on November 6 this year.