This allegedly gave cybercriminals easier access to data including residential addresses, birth dates, Social Security numbers, bank account numbers and other financial information that helped facilitate the filing of thousands of fraudulent tax returns.
Intuit Didn’t Properly Protect Customers’ Sensitive Information
The lawsuit alleges that Intuit knew or should have known about the recent increase in fraudulent tax filings and data breaches, but failed to take “commercially reasonable measures” to protect customers’ information. This allegedly gave cybercriminals easier access to data including residential addresses, birth dates, Social Security numbers, bank account numbers and other financial information that helped facilitate the filing of thousands of fraudulent tax returns.
Intuit Didn’t Implement Adequate Security Measures to Protect Non-Customers from Fraudulent Filings
Intuit also allowed fraudsters to create fake TurboTax accounts to file fraudulent returns in third-party, non-customer names, according to the class action. When Intuit employees identified a number of TurboTax accounts that they thought were being used solely for fraudulent tax filings, the company allegedly told them not to flag or deactivate the accounts.
Intuit Facilitated the Filing of Fraudulent Tax Returns on TurboTax
The lawsuit claims that companies such as Intuit must be diligent in recognizing fraud and abuse, reporting it to the International Revenue Service (IRS) and working to prevent fraud while safeguarding information that could be used to file fraudulent returns; however, Intuit’s lax security measures did not meet these standards and actually facilitated tax fraud on TurboTax, according to the suit. This allegedly allowed thousands of fraudulent tax returns to be filed.
Intuit Waited Years to Implement Security Measures to Protect Sensitive Information
While security experts told Intuit that the company should add certain safety measures to protect TurboTax customers, the company did not implement these “very basic security measures” until years later, according to the suit. Specifically, the class action claims that Intuit should have added a two-step verification process to TurboTax, where users logging into their accounts would be prompted to further verify their identities by email or phone; however, Intuit waited until February 2015 to add two-step verification to TurboTax and only did so after states reported suspicious tax filings from the software and the company had to temporarily suspend state e-filing operations.
Intuit Put Thousands at Risk for Further Identity Theft
One plaintiff named in the lawsuit, Christine Diaz, alleges that she purchased Intuit’s TurboTax software to do her taxes in 2011, but hasn’t used the program again since. Yet, in January 2015, Diaz was notified that federal and state tax returns were filed under her name using the software and later received a bill for more than $200 for these fraudulent returns, according to the lawsuit. As a result of these fraudulent filings, the lawsuit claims that Diaz is now ineligible for online tax filing, is at an increased risk for future identity theft and must pay for ongoing credit monitoring.
Another plaintiff, Michelle Fugatt, alleges that she never used TurboTax to do her taxes, but was notified in March 2015 that someone had filed a tax return under her name using the software. In addition to being at an increased risk for identity theft, the plaintiff alleges that she may also lose eligibility for certain government programs because the fraudulent tax return was filed for a much higher income.