lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date: Sun Jan  1 17:55:21 2006
From: solo at dok.org (Troy Solo)
Subject: H&R Block Tax Service sends mail with SSN on the
	label.

My wife received this snail mail letter yesterday:

"Recently we mailed you a free copy of our TaxCut software.  We believe 
that this complimentary software will meet your 2006 tax preparation 
needs, based on our prior experience with you as an H&R Block client. 
We hope that you will try TaxCut and find it to be a great solution for 
filing your next tax return.

However, since we sent you this CD, we have become aware of a mail 
production situation that has affected a small percentage of recipients, 
including you.  Due to human error in developing the mailing list, the 
digits of your social security number (SSN) were used as part of your 
mailing label's source code, a string of more than 40 numbers and 
characters.  Fortunately, these digits were embedded in the middle of 
the string, and they were not formatted in any manner that would 
identify them as an SSN.

Nevertheless, we sincerely apologize for this inadvertent error, which 
is completely inconsistent with out strict policies to protect out 
clients' privacy.  Our internal policies limit the use of client SSNs 
for purposes other than tax preparation.  Furthermore, our internal 
procedures require that mailing source codes are formulated in a manner 
that excludes use of any sensitive or confidential information.  Please 
know that we have conducted a thorough internal review of this matter, 
and are taking actions to ensure this does not re-occur.

Again, please understand that the digits of your SSN were embedded in 
the middle of a lengthy source code, and they were not formatted in a 
manner that identifies them as an SSN.  As a result, we believe that 
exposure of your SSN digits was limited to you alone, since you are the 
only person who would recognize their significance.  Nonetheless, we 
suggest that you destroy the wrapper and mailing label of the free 
TaxCut CD we sent you.  If you would like more information about this 
incident, please visit www.taxcut.com/answers, a special Website that 
contains additional details and an e-mail link for contacting us with 
your questions.

On behalf of more than 100,000 associates of H&R Block, allow me to 
apologize for this unfortunate situation.  Through 50 tax seasons, H&R 
Block has earned a reputation as a valued, trustworthy ally to our 
clients, and we sincerely hope that you will find the free TaxCut CD and 
our information packed taxcut.com Website to be helpful tools for the 
2006 tax filing season.

Sincerely,

Tom Allanson
Senior Vice President & General Manager
H&R Block Digital Tax Solutions

4400 Main Street Kansas City, MO 64111
www.taxcut.com"

---------------------------------

The part about "the exposure of the SSN was limited to you alone because 
you are the only person who would recognize your number" kills me.

-- 
/*
/*  Troy Solo
/*  <solo@....org>
/*  Si Hoc Legere Scis Nimium Eruditionis Habes
/*

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ