Taxpayer data exposed online

By | Friday, January 4, 2008

• Print
• [-][+] Font Size
• E-Mail Alerts
• Tell a Friend
• Got a Question?
• You Report
• Click-2-Listen

A security gap on a Maryland government Web site left hundreds of Social Security numbers unprotected as homeowners attempted to register for a property-tax exemption this week.

Officials said residents applying Monday for the homestead-tax credit at the Maryland Department of Assessments and Taxation Web site (www.dat.state.md.us) may have exposed their Social Security numbers online because the application system did not have a necessary security certificate to encrypt the information before it was sent out over the Internet.

Robert Young, the department's associate director of assessments and taxation, said the gap briefly left the numbers exposed, but the information was transferred to a secure server after an application was submitted.

"For that minute or so there ... that wasn't encrypted," Mr. Young said. "If they submitted an application, it went to a different section that was encrypted."

The application system on the site went online Dec. 28 but was not accessed until Monday, after residents had received their assessment notices in the mail. Roughly 900 people used the system that day.

Mr. Young said it would have been nearly impossible for anyone to access the numbers because of the brief amount of time they were exposed and because hackers would have had to tap into Internet transmission lines from a specific location.

"Somebody would have had to been focused in on that site," Mr. Young said. "The chances of that are virtually nil."

The Web-based tax-application system is managed by Towson University's Regional Economic Studies Institute.

Tim Brooks, the institute's associate director in charge of software development, said a hacker would have had to be located right outside the home of a resident accessing the site or outside of the institute's data center at Towson to steal the numbers once they were sent out over the Internet.

"While it is technically possible there was some sort of compromise, it is logistically unfeasible," Mr. Brooks said.

Mr. Young said officials shut down the site on Monday at about 4 p.m. and added the extra protection. The site reopened Wednesday at about 4:15 p.m. and is now secure, he said.

Reports of identity theft have become more common around the region and across the country in recent years. Last year, there were 446 security breaches resulting in the exposure of nearly 128 million records, according to the Identity Theft Resource Center.

Do you have another point of view, photos, audio, video or more information about a story?