April 10, 2001, 10:36 AM — Due to a now-corrected software glitch, about 150,000 TurboTax software users were notified yesterday that they'd need to establish new online access passwords.
The password changes were made necessary after an engineer at Intuit Inc., the makers of TurboTax, discovered that the passwords were inadvertently being saved on Intuit's servers and on users' computers when Form 1099 investment data was directly imported into the program.
The problem affected only users who imported investment data directly into their computers through their online brokerage accounts with seven investment companies, according to Intuit spokeswoman Julie Miller. The firms are Fidelity Investments, The Vanguard Group Inc., TD Waterhouse Group Inc., T. Rowe Price Group Inc., Salomon Smith Barney Holdings Inc., Citicorp Investment Services' Cititrade and Invesco Funds Group Inc.
Miller said the problem affected about 1% of approximately 15 million tax returns that will be filed this year using TurboTax's popular tax-return preparation software. No customer data was compromised due to the problem, according to the company.
All the customers who were affected were notified by Mountain View, Calif.-based Intuit through e-mails and letters mailed out yesterday, she said. The letters advised the customers of the problem and explained that because of concerns about the security of their tax and investment information, they should update their TurboTax software with a free online patch and immediately change their account password.
To update the software, users need to click the update button in TurboTax and the repair will automatically be completed. A toll-free number is also available for questions at (800) 224-0933.
Intuit implemented a fix so that all customers who import the 1099 investment data are now protected from having their passwords saved. All of the previously saved passwords have been deleted by the company, Miller said.
The problem was discovered in early March by an Intuit engineer, then the partner investment companies were notified while a fix was created. The problem and its resolution were officially announced yesterday.
"We didn't want to give a blueprint to the hacker community where [the problem] was," Miller said.
Instead of being angry, many of the 150,000 TurboTax users whose passwords were disabled said they were pleased that Intuit and their investment partners took the action.
Jessica Catino, a spokeswoman for Fidelity Investments in Boston, said some of the affected customers had called in with kind words about the resolution of the problem and had already established new passwords.
"The general sentiment ... is they've been appreciative we're taking their confidentiality seriously," Catino said.
Bruce Mattes, a spokesman for The Vanguard Group in Valley Forge, Pa., said customers who called in had "universally applauded the move" to quickly protect their data.
The company knew it would "inconvenience some people, but we decided to protect their privacy," Mattes said.
