Six of 13 IRS-Approved Tax Preparers Fail Cybersecurity Test

The Wall Street Journal, By Laura Saunders
Updated Feb. 26, 2016 3:42 p.m. ET

Nearly half the firms that have agreements with the Internal Revenue Service to provide online tax-preparation and filing services are failing to protect customers’ privacy and security, according to an audit released Wednesday.

The audit by the nonprofit Online Trust Alliance found that six out of 13 firms, including Jackson Hewitt and, don’t provide adequate security against cybercriminals. Seven firms, including TurboTax, H&R Block, TaxAct and TaxSlayer were praised for their practices and named to an “Honor Roll.”

The firms are the members of the IRS’s Free File Alliance, a program that offers free tax-preparation and e-filing to taxpayers filing about 100 million federal returns. People with adjusted gross income of $62,000 or less are eligible for the program. The OTA says the findings are relevant for all customers of the 13 tax-prep firms it examined, not just lower-income taxpayers who qualify for the program.

“As the report rightly notes, the areas of security and privacy are evolving daily,” the IRS said in a statement, adding that the agency works with the industry to “encourage tougher standards.”

The Online Trust Alliance is a nonprofit based in Bellevue, Wash., that says its mission is to help protect Internet users’ security, privacy and identity. The group says its funding is provided by a combination of technology, security and privacy firms, plus companies including  Twitter Inc.  and Publishers Clearing House.

The group did the audit in early February. It was funded in part by grants from cybersecurity firms Agari Data Inc., DigiCert Inc. and  Symantec Corp.  The study of tax-prep services is the group’s most recent examination of the security practices of online sectors. Other reports have studied retailing, banking and social-media sites.

Over the past year, the IRS, state tax officials and tax-preparation firms have conducted a campaign to combat tax-refund fraud, a crime in which thieves use stolen personal information to file a false return and claim a refund.

The IRS said Friday that more than twice as many taxpayer accounts may have been hit by cyber-criminals than the agency previously reported, with hackers gaining access to as many as 700,000 accounts and attempting to break into an additional 575,000. The hackers targeted “Get Transcript,” an IRS application that allowed taxpayers to obtain tax return information for prior years. If the thief is able to use information from a real taxpayer’s prior returns, the fake return could be harder for federal and state fraud filters to detect.

Also this year, two tax-prep firms that provide software to individuals who prepare their own returns have reported data breaches by criminals using personal information stolen elsewhere. The firms were TaxAct, a unit of Blucora Inc., and TaxSlayer LLC. Both providers are on the OTA Honor Roll.

In response to the results of the OTA audit, Jackson Hewitt said in a statement that it is “focused on protecting our clients’ personal data” and that it will study the OTA’s evaluation to “determine if there are further improvements we can make.” A spokesman for said it is “very strict” in protecting the security of customer data and is seeking more details from OTA. referred The Wall Street Journal to a statement from the Free File Alliance, which said: “The IRS works with the Free File Alliance members each year to evaluate each company and ensure that the software meets the highest standards of security, privacy and support.”

The other three firms that failed–, and Online Taxes at—didn’t respond to emailed requests for comment.

The study rated the online tax-filing services in three categories: consumer protection, site security and privacy. Although the report didn’t disclose the specifics of how each firm performed in each category, it noted that three failing firms had inadequate security against well-known vulnerabilities that have been exploited by cybercriminals in the past.

The study compared specific security features adopted by the tax-prep sector to those adopted by other sectors studied by the group. For example, the tax firms scored well overall on privacy compared with banks. But they did worse than the banks in protecting consumers against fraudulent email, according to Craig Spiezle, president of the Online Trust Alliance.

The tax providers also lagged behind 100 top online retailers in adopting two leading security protocols, known as SPF and DKIM. These software standards, which Mr. Spiezle said are simple and free, help detect fraudulent emails used for phishing and identity theft. Cybercriminals, for instance, could forge email that appears to come from the IRS or tax preparers in order to obtain personal information they could use to file for refunds or take over financial accounts.

While about 90% of the top retailers had adopted these standards, only eight of the 13 tax services had adopted them.

“The IRS expects more than 120 million returns to be filed electronically this year, so it’s troubling that any of these approved tax-filing firms aren’t addressing security basics,” Mr. Spiezle said.

Write to Laura Saunders at

This important news article is provided to you as a service of Di Iorio & Di Iorio, LLC. At Di Iorio & Di Iorio, LLC, we use Intuit ProSeries Tax Software which is fully encrypted and is updated hourly with all of the latest administration and regulation by federal and state governments. Visit us at, or call for an estimate or appointment at 908-451-2016.  Our offices are conveniently located at 567 Park Avenue, Suite # 203, Scotch Plains, New Jersey.

back to Articles