Comment Re:TurboTax and Security (Score 1) 110
Sorry, Bob, but those aren't "more facts," it's corporate spin:
> 1. This was a single, isolated incident. There have been no other reports of this type, and our ongoing investigation has not >identified any other customers affected by this issue. This issue resulted from an accidental and extremely unusual path to access
>a prior year return.
Ideally, it wouldn't be up to your customers to detect and report flaws in your software. And the fact that "an unusual path" is required shouldn't offer any comfort: crackers go looking for unusual paths. That's what they *do*. That really shouldn't be news to a vice-president of a company that maintains millions of customers' tax returns on internet-accessible servers.
> 2. We have contacted the three customers who were directly impacted by this issue and are working with them to ensure that their >privacy remains protected and their identities secure.
That's great. What are you doing for the millions of others who may have been affected by people not ethical enough to report the discovery?
> 3. Contrary to some of the news reports, this issue does not affect TurboTax Online and the preparation and electronic filing of >2006 tax returns.
No, but it does raise serious concerns about your company's ability to protect the data that's entered on the 2006 return. Most people consider their tax returns to be sensitive information, and your company was allowing access to that information without authentication. That's HUGE... and inexcusable. The "right" response would have talked about thorough code audits, a detailed review of server logs to identify other compromised customers, changes to the design specification, developer training, and quality assurance processes to ensure that this problem doesn't happen again, etc. Yes, that will cost you lots of time and money and hurt the quarterly earnings, but that's why you should have paid attention to security in the first place. You can't just say "whew, that was close... at least only a single user reported the problem!," disable a single hyperlink, and try to pretend like it never happened.
I've been a TurboTax Online user for three or four years now and was always very happy with the service. Now, I have serious reservations, and I doubt I'll be back next year, because your corporate culture doesn't appear to be one to which I'm comfortable entrusting my data. Come to think of it, why do everyone's old returns have to be available on the web anyway? I have copies of all of mine--- can I petition TurboTax to destroy the online versions? If my house burns down and I lose my backups I can presumably write to the IRS; I'm sure that that would be the least of my worries.
> 1. This was a single, isolated incident. There have been no other reports of this type, and our ongoing investigation has not >identified any other customers affected by this issue. This issue resulted from an accidental and extremely unusual path to access
>a prior year return.
Ideally, it wouldn't be up to your customers to detect and report flaws in your software. And the fact that "an unusual path" is required shouldn't offer any comfort: crackers go looking for unusual paths. That's what they *do*. That really shouldn't be news to a vice-president of a company that maintains millions of customers' tax returns on internet-accessible servers.
> 2. We have contacted the three customers who were directly impacted by this issue and are working with them to ensure that their >privacy remains protected and their identities secure.
That's great. What are you doing for the millions of others who may have been affected by people not ethical enough to report the discovery?
> 3. Contrary to some of the news reports, this issue does not affect TurboTax Online and the preparation and electronic filing of >2006 tax returns.
No, but it does raise serious concerns about your company's ability to protect the data that's entered on the 2006 return. Most people consider their tax returns to be sensitive information, and your company was allowing access to that information without authentication. That's HUGE... and inexcusable. The "right" response would have talked about thorough code audits, a detailed review of server logs to identify other compromised customers, changes to the design specification, developer training, and quality assurance processes to ensure that this problem doesn't happen again, etc. Yes, that will cost you lots of time and money and hurt the quarterly earnings, but that's why you should have paid attention to security in the first place. You can't just say "whew, that was close... at least only a single user reported the problem!," disable a single hyperlink, and try to pretend like it never happened.
I've been a TurboTax Online user for three or four years now and was always very happy with the service. Now, I have serious reservations, and I doubt I'll be back next year, because your corporate culture doesn't appear to be one to which I'm comfortable entrusting my data. Come to think of it, why do everyone's old returns have to be available on the web anyway? I have copies of all of mine--- can I petition TurboTax to destroy the online versions? If my house burns down and I lose my backups I can presumably write to the IRS; I'm sure that that would be the least of my worries.
