[funsec] Re: [Full-disclosure] H&R Block Tax Service sends mail with SSN on thelabel.

Exibar exibar at thelair.com
Sun Jan 1 12:20:29 CST 2006

"limited to you alone..."  sure, all it takes is for one person to figure
out how many digits into this source code that te SSN begins, and there you
go.  Not exactly rocket science there...


----- Original Message ----- 
From: "Troy Solo" <solo at dok.org>
To: <full-disclosure at lists.grok.org.uk>
Cc: <funsec at linuxbox.org>
Sent: Sunday, January 01, 2006 12:55 PM
Subject: [Full-disclosure] H&R Block Tax Service sends mail with SSN on

> My wife received this snail mail letter yesterday:
> "Recently we mailed you a free copy of our TaxCut software.  We believe
> that this complimentary software will meet your 2006 tax preparation
> needs, based on our prior experience with you as an H&R Block client.
> We hope that you will try TaxCut and find it to be a great solution for
> filing your next tax return.
> However, since we sent you this CD, we have become aware of a mail
> production situation that has affected a small percentage of recipients,
> including you.  Due to human error in developing the mailing list, the
> digits of your social security number (SSN) were used as part of your
> mailing label's source code, a string of more than 40 numbers and
> characters.  Fortunately, these digits were embedded in the middle of
> the string, and they were not formatted in any manner that would
> identify them as an SSN.
> Nevertheless, we sincerely apologize for this inadvertent error, which
> is completely inconsistent with out strict policies to protect out
> clients' privacy.  Our internal policies limit the use of client SSNs
> for purposes other than tax preparation.  Furthermore, our internal
> procedures require that mailing source codes are formulated in a manner
> that excludes use of any sensitive or confidential information.  Please
> know that we have conducted a thorough internal review of this matter,
> and are taking actions to ensure this does not re-occur.
> Again, please understand that the digits of your SSN were embedded in
> the middle of a lengthy source code, and they were not formatted in a
> manner that identifies them as an SSN.  As a result, we believe that
> exposure of your SSN digits was limited to you alone, since you are the
> only person who would recognize their significance.  Nonetheless, we
> suggest that you destroy the wrapper and mailing label of the free
> TaxCut CD we sent you.  If you would like more information about this
> incident, please visit www.taxcut.com/answers, a special Website that
> contains additional details and an e-mail link for contacting us with
> your questions.
> On behalf of more than 100,000 associates of H&R Block, allow me to
> apologize for this unfortunate situation.  Through 50 tax seasons, H&R
> Block has earned a reputation as a valued, trustworthy ally to our
> clients, and we sincerely hope that you will find the free TaxCut CD and
> our information packed taxcut.com Website to be helpful tools for the
> 2006 tax filing season.
> Sincerely,
> Tom Allanson
> Senior Vice President & General Manager
> H&R Block Digital Tax Solutions
> 4400 Main Street Kansas City, MO 64111
> www.taxcut.com"
> ---------------------------------
> The part about "the exposure of the SSN was limited to you alone because
> you are the only person who would recognize your number" kills me.
> -- 
> /*
> /*  Troy Solo
> /*  <solo at dok.org>
> /*  Si Hoc Legere Scis Nimium Eruditionis Habes
> /*
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/

More information about the funsec mailing list