Monday, February 18, 2008

How Public Is YOUR W2?

As many of you know, some companies work really hard to get your tax documents out to you in a timely manner. Others don't really care HOW the information gets to you, as long as they aren't held to blame for missing the deadlines set forth by government agencies. Some of those who offload the work of tax document generation to a third party, may be publicizing that information on the Internet!!!

I needed to obtain a W2 from a previous employer who states that they mailed out all tax documents before the deadline. It's lost in the mail. Yeah, no big surprise there. Instead of agreeing to send it out to me again, I was given the address to a public Internet site ( to download the form myself. Personal information security is a concern of mine -- in fact, it's part of my job -- so I thought I'd give it a whirl and take a look at the security processes involved. As it turns out, all anyone would need in order to download my W2 from this site are my last name, Social Security number and the public acronym of the company I used to work for. Yep -- that was it!

I went to a coworker of mine and tasked him with bringing up my W2 via the site. It took him less than 45 seconds to do so, because as a developer he happens to have access to the company databases.

Perhaps you are asking yourself, "Who would have my Social Security Number?" Well, that would be the majority of all organizations you do business with who have an interest of some sort in your credit rating or believes that Social Security numbers are good for uniquely identifying you from everyone else in the country/world. Now consider the number of companies who have sent (or are sending) a large amount of their customer service and/or database management support overseas, and the number of hackers on the web who would LOVE to get copies of such documents or yours and sell them to counterfeiters. The numbers are VERY high and I'd suggest you dial 911 and report a heart attack prior to researching the operating standards of the companies you do business with.

Currently, I and my software developers are working on a project which will make a lot of these concerns go away, but until we are ready to release that application, I suggest you contact each of the companies you have worked with in recent years and ensure that they have not made your personal tax information available on the Internet. If they HAVE made any of your information available on the web, politely ask them to remove it immediately and inform them that they DO NOT have your permission to ever perform such an act of stupidity with your information ever again. Next, you should bow your head, cover yourself in ashes, kneel in an Easterly direction, sacrifice a small animal or whatever it is you prefer to do while praying that you plugged the leak before the hackers of the world gained access to it.

No comments: