Some Florida residents may keep a close eye on their finances after a security incident. Researcher Kamran Mohsin told TechCrunch that the Florida Treasury Department’s website had an error that exposed the bank account and social security numbers of hundreds of applicants. Anyone logging into the state business tax registration site could see, change, and even delete personal information simply by changing the web address, which points to a taxpayer’s application number — you just had to change the digits in the link.
At the time of the discovery, there were over 713,000 applications in the ministry’s pipeline, Mohsin said. Mohsin warned the ministry about the bug on October 27.
Department representative Bethany Wester said in a statement that the government corrected the error within four days of the report and that two unnamed companies considered the site safe. She added there was “no evidence” that attackers abused the bug, but didn’t say how officials could have discovered any abuse. The agency contacted all affected taxpayers by phone or in writing within four days of learning of the problem and offered one year of free credit monitoring.
