The FTC has recently provided specific guidance on what it considers appropriate data breach protection activity by financial institutions. Such guidance came by virtue of a proposed consent order, dated August 29, 2017, specifically involving a data breach by TaxSlayer, LLC.
The data breach started with a hacker who obtained a list of usernames and passwords that were stolen from other websites. Since many people reuse the same username and password for multiple websites, the hacker was able to use these login credentials and gain access to thousands of accounts on TaxSlayer’s website. After gaining access to the accounts, the hacker was able to remove the confidential financial information provided by over 8,000 of TaxSlayer’s customers and file an unknown number of fraudulent tax returns. This obviously caused significant issues for each of TaxSlayer’s customers affected by this data breach.