Tax preparation companies have been warned by the Federal Trade Commission (FTC) about the potential misuse of confidential data collected from consumers. This warning, issued in 2023, highlighted the risk of civil penalties if the data was used for unrelated purposes. Fast forward two years, a new concern has emerged regarding the integrity of tax prep companies’ software.
According to Gartner, a leading research and advisory company, it is predicted that by this year, 45% of organizations worldwide will have experienced attacks on their software supply chains. This puts tax preparation businesses and their customers at risk of devastating consequences if the software is compromised. The impact of a software supply chain attack could extend far beyond the tax deadline in April.
Sensitive data stored within tax preparation software includes financial information, personal details such as marital status and children, and even health data. This makes tax prep companies a prime target for cybercriminals who can exploit this information for identity theft, financial fraud, phishing attacks, and more. One common method used by adversaries to breach tax prep companies’ networks is by exploiting vulnerabilities in their software.
It is worth noting that tax software, like most software today, relies on open-source components that can introduce security weaknesses. Shockingly, 95% of security weaknesses originate from open-source packages, with half of these vulnerabilities lacking known fixes. Moreover, a significant portion of open-source components are either poorly maintained or not maintained at all. The demand placed on tax organizations during the busy tax season makes it challenging for developers and security teams to keep up with software supply chain maintenance and governance.
To address these vulnerabilities and enhance cybersecurity, tax companies can take several proactive measures. Firstly, they should generate a comprehensive software bill of materials (SBOM) to gain visibility into all software components and ensure compliance standards are met. Organizing and securely sharing SBOMs, as well as holding third-party vendors to high security standards, are crucial steps in safeguarding tax software.
Additionally, tax organizations must prioritize identifying and fixing vulnerabilities promptly, even for open-source code without available patches. Utilizing solutions that help developers prioritize vulnerabilities and provide guidance on how to address them can be beneficial. By implementing multi-factor authentication, regular software updates, strong encryption protocols, and cybersecurity education programs, tax companies can enhance their overall security posture.
Ultimately, maintaining a secure software supply chain is essential for protecting user data year-round. By investing in proactive cybersecurity measures, tax prep companies can mitigate the risk of software supply chain attacks and safeguard sensitive information. Prioritizing security and accountability in software development and maintenance is crucial in an era where cyber threats are prevalent.