National ID Watch

Tax Preparer Accidentally Exposes 701 SSNs on Hot Spot

FOR IMMEDIATE RELEASE: April 9, 2008

Media Contact: Aaron Titus
(202) 669-2969

ALEXANDRIA, Virginia. The office of Martha Yungk, EA accidentally exposed the private information of 7,003 of her clients, former clients and their families on a public wireless network, or "Hot Spot." The information includes more than 700 social security numbers, 400 addresses and phone numbers, and detailed tax information for 2,796 people. Personalized letters to the IRS and multiple state tax agencies are among the more than 300 sensitive documents exposed on the hot spot, which was available to any member of the public with a laptop, who came within 150 feet of the office. The network also contained detailed payment schedules for several thousand clients for tax years 1995-2008, including businesses. The affected individuals appear to be most or all of Martha Yungk's clients, since the mid-1990's.

There's no doubt that the exposure was accidental. Ms. Yungk told the Liberty Coalition that a broken router was accidentally replaced with a wireless router without her knowledge, in late February, 2008. Once the Liberty Coalition notified her of the breach, the router was immediately replaced. Ms. Yungk was thankful for the Liberty Coalition's efforts, and quite gracious.

The exposed documents contain a wide variety of information, including notes such as, "Owes for many previous years..." "...Tax Prep Bounced..." "...Credit card was declined in numerous attempts during 2005," and notes about health, alimony, and criminal tax actions by the IRS. We notified Martha Yungk's office that they should cease broadcasting this information to the public, hire a professional to fix network vulnerabilities, and notify their clients that their information had been exposed to the public.

The following are a few key facts surrounding the breach:

1. Martha Yungk's office provided an open, unencrypted wireless network any member of the public within 150 feet of the office, including public areas such as the lobby, and parking lot. The wireless network did not require a password, and was not secure.
2. Martha Yungk's office attached certain internal business computers to its public wireless network, which contained sensitive client information. Such computers were not password-protected.
3. Martha Yungk's office further affirmatively placed private client information in shared folders, which were open to the public simply by double-clicking. The shared folders were not password-protected, and the client information was not encrypted.
4. All of the sensitive client information was available to any member of the public with a laptop who came within 150 feet of the office in the parking lot, was accessible using only a mouse, and required no passwords.

No hacking was necessary to access the information. When any member of the public associated to Martha Yungk's wireless network, Windows would often automatically search the network for shared folders, and populate "My Network Places" with links to shared folders.

Individuals affected by this exposure should immediately visit www.nationalidwatch.org and search for their names, to confirm what types of personal information were exposed. NationalIDWatch.org has a list of recommended steps victims should take.

About NationalIDWatch.org

National ID Watch is a search engine for personal information breaches. Sponsored by the Washington, DC non-profit Liberty Coalition, NationalIDWatch.org provides more than a million free personalized Identity Exposure Reports™ as a public service.
Each Identity Exposure Report (IXR) documents what types of personal information were exposed (such as Social Security Numbers, Birth Dates, Addresses, etc.), without revealing them. Each IXR also details the situation surrounding each exposure, and contact information of those responsible for the breach. Armed with this information, victims can further investigate, take action, or correct harm.