A data breach at the Massachusetts Department of Revenue was much larger than the tax-collecting agency originally reported, inadvertently making private information from about 39,000 business taxpayers viewable to other companies — potentially even competitors.
That’s more than twice the number of filers the Baker administration originally said last week could have been affected by the breach.
The snafu, which lasted from early August 2017 through Jan. 23, 2018, allowed some companies to view other business’s names, tax identification numbers, amount and date of tax payments, number of employees, and banking information about their payroll processor, Department of Revenue spokeswoman Nathalie Dailida said Wednesday.
The Baker administration said last week that, as a result of the breach, no individual employee data, such as Social Security numbers, were viewable to those who shouldn’t have seen it. Now, in addition to expanding the pool of those affected, the administration acknowledged one person’s Social Security number was visible to those who should not have had access to it.
The Department of Revenue reported what happened with that number, triggering a review by Attorney General Maura Healey, her spokeswoman said.
Just as tax season begins in earnest, the new disclosures raise troubling questions about the competence of the state’s tax-collection agency and its ability to keep personal information private. And the breach could cause a headache for Governor Charlie Baker, a Republican up for re-election in November, who has billed himself as a leader who makes state government more efficient and effective.
Christopher C. Harding, who was appointed revenue commissioner by Baker and started last August, declined through a spokesperson to speak to the Globe about the matter, but offered a statement.
“After recently identifying an issue within the MassTaxConnect system in which no individual employee data was made viewable, the department has now completed its internal review of this serious matter including a forensic review and quality assurance to verify the scope of this reporting issue, is notifying all impacted filers, and will ensure the safety and security of all taxpayer information filed with DOR,’’ he said.
The breach began when the agency made a technical change aimed at allowing its tax agents to help businesses with questions about withholding. That shift allowed those agents to view bulk file data — the information submitted by payroll vendors — sent through a portal, MassTaxConnect.
But something went wrong along the way.
Of the 244 payroll companies that Dailida said used the troubled portal, 38 payroll companies — and their about 39,000 business taxpayer clients — were affected by the bug.
That allowed a client of one of the affected payroll companies to peek into another client’s private tax information. But companies would not have been able to see the data from a business that used a different payroll company, Dailida said.
She said the agency’s forensic review found that 128 files were viewed by 145 unique business clients, but those numbers include some companies looking at their own tax data. Of those files, Dailida said, seven contained banking information with 14 bank accounts associated with payroll processors.
Last week, Baker administration officials said, despite the months-long data glitch, the Department of Revenue had fixed the issue in January within hours of being made aware of it. But it did not send out a letter notifying payroll processors of the breach until Feb. 9, more than two weeks later.
The reason for that delay was not entirely clear. Nor was a full explanation forthcoming Wednesday for why the agency more than doubled its declaration of how many filers may have been impacted by the breach. (Administration officials said the review of what happened had been ongoing and is now complete.)
As for the Social Security number, Dailida said as part of the forensic review the agency conducted, it cross-checked data that could have been inadvertently exposed.
In doing so, she said, the department determined that a business owner was using his or her Social Security number as his or her federal Employer Identification Number, “which does not conform with IRS instructions.’’
Still, that revelation has now triggered a process mandated by state law. Dailida said the tax-collection agency is now “notifying the impacted taxpayer and engaging with the Office of the Attorney General, the Office of the Secretary of the Commonwealth, the Executive Office of Technology Services and Security, and the Office of Consumer Affairs and Business Regulation.’’
The Globe first became aware of the breach last week after being forwarded an e-mail sent to a client by Gusto, a payroll, benefits, and human resources company.
The changes the agency made to the tax portal, the e-mail said, “erroneously permitted business taxpayers to view files containing company names, federal employer identification numbers (FEINs), and tax payment amounts for companies like yours. As a result, people outside your company could see your company data.’’
The new disclosures Wednesday came after Globe inquiries about whether the Department of Revenue had underreported the scope of the breach.
It wasn’t clear who was responsible for the data troubles, but Dailida said that the deep-dive review “included Chief Information Officer Mike Guerin’’ and a vendor that has been working on the tax platform since early 2014.
“The Department of Revenue takes data management seriously and will continue to take all precautions necessary to ensure reporting data is securely managed throughout this tax season,’’ Harding said in the statement.
A spokeswoman for Baker, Elizabeth Guyton, said the governor has full faith in Harding as the leader of the agency.
Joshua Miller can be reached at joshua.miller@globe.com. Follow him on Twitter at @jm_bos
