Welcome!

By registering with us, you'll be able to discuss, share and private message with other members of our community.

SignUp Now!
adv ex on 5 january 2024
adv ex on 22 February 2024
adv ex on 22 February 2024
banner Expire 26 April 2024
Rescator cvv and dump shop
banner expire at 13 May

Yale lodge shop
UniCvv
banner Expire 1 April  2021

Tax Relief Biz Exposed Personal Info on 100,000 Clients

Premiums

TRUSTED VENDOR
Joined
Dec 5, 2020
Messages
1,313

A UK business specializing in tax relief for its clients has exposed the personal details of over 100,000 of them via a misconfigured content management system (CMS).

Researchers at Website Planet told Infosecurity exclusively about the privacy snafu, which they discovered on October 13 and notified the firm about the next day.

That company was Marriage Tax Refund, a Wolverhampton-based organization whose business model is to recover marriage tax allowance funds for UK clients.

According to the research team, the firm had misconfigured its WordPress CMS, leaving a directory listing of PDF documents available for public view, with no password protection.

This meant anyone could theoretically have viewed personally identifiable information (PII) on Marriage Tax Refund clients, including: applicants’ full names, gender and home address, plus their partners’ full names and gender, and the refund amount they could request.

Website Planet estimated that in excess of 100,000 clients who signed up to the scheme since the company’s founding in October 2016 could have had their PII exposed in this way.

“A combination of full name, address and marital status are sufficient for nefarious users to conduct identity theft and fraud. Furthermore, personal user details could be used to conduct fraud across other platforms without the victim becoming aware that such activity is occurring,” the researchers warned.

“Therefore, Marriage Tax Refund’s leak could potentially be used to deploy deeper and more damaging scams by sending customized information directly to their target’s addresses, possibly disguised as communication from Marriage Tax Refund, or, disguised as HMRC but referencing the customer’s business with Marriage Tax Refund and thereby gaining the intended target’s trust.”

After notifying both the UK CERT and privacy regulator the Information Commissioner’s Office (ICO), Website Planet finally saw that the misconfiguration had been fixed by the firm on November 6 this year.

 
Top Bottom