As typical with most data breaches initially underestimating the overall impact of a cyber-security “incident,” the hack of the Massachusetts Department of Revenue in the US disclosed last week was more than twice as large than originally anticipated by the tax-collecting agency.
The US state revenue department now admits private data, including the names, tax identification numbers and the banking information of the payroll processors of more than 39,000 business taxpayers was compromised, according to reporting by the Boston Globe.
Initially, the agency reported the breach didn't include the fact that social security numbers were breached, but a department spokeswoman has since acknowledged to the newspaper at least one was exposed to an unauthorised party as a result of the attack, which occurred between August 2017 and 23 January, 2018.
As a result of a forensic review, the breach is thought to be triggered when the state's MassTaxConnect allowed portal users to ask questions about withholding, giving tax agents, including payroll vendors, to view bulk file data. Among the 244 payroll companies that use the system, 38 of them had their information exposed by the flaw, which the agency says was fixed in January within hours of being made aware of the breach.
But it did not explain why payroll processors weren't informed until 9 February.