Security Glitch in TurboTax

April 6,   S A N J O S E, Calif., 2001 -- A programming glitch in Intuit Inc.'sTurboTax software has posed a potential security problem for asmany as 150,000 users and may force them to change their passwords,the company said Thursday.

The glitch affected about 1 percent of the total number of usersof the tax preparation software and has since been fixed, saidIntuit spokeswoman Holly Anderson.

"No customer data has been compromised nor are customers' taxreturns or refunds affected in any way," she said.

The problem affected many of those who used a new feature thatallowed them to import their 1099 investment tax data directly fromtheir financial institutions to their TurboTax files.

During the import process, the program inadvertently — andquietly — saved onto the user's computer hard-drive the accountpassword that gave the user access to their investment information.For those using TurboTax via Intuit's online services, the accountpasswords erroneously were saved onto the company's servers.

The problem lasted from Jan. 31 to March 4, when the companyupgraded its software as a fix. However, some users could have beenaffected up through Wednesday, if they chose not to upgrade theirsoftware when prompted by the program.

A more permanent fix was put in place Thursday which forcedevery user to upgrade the software before importing investmentdata.

The fix automatically deletes the account password that wassaved in the user's computer.

The security risk, which the Mountain View-based financialsoftware maker characterized as "very remote," stems from ahacker getting into a user's computer or Intuit's servers, andobtaining the passwords to gain access to investment data.

The seven financial institutions that have partnered with Intuitto use the import feature were notifying their affectedshareholders of the password problem Thursday, Intuit said. Thecompanies are: Vanguard Group, Citigroup Investment Service'sCititrade Account, Fidelity Investments, Invesco Funds, SalomonSmith Barney, TD Waterhouse and T. Rowe Price.

Some of the institutions recommended their shareholders changetheir account passwords as a precaution. Others, includingVanguard, took a more extreme measure and disabled the passwords ofshareholders who imported the tax data, forcing them to set newones.

"We'd rather have someone upset at us for not being able to getinto their account than to have someone intrude their account,"said Brian Mattes, a Vanguard principal.

Intuit said it discovered the problem in early March and deletedthe passwords from its servers. By March 4, it issued a softwarepatch that deleted the password from the user's computer if theuser chose to update their TurboTax software.

The more permanent fix was completed Wednesday so users wouldhave to get the software upgrade before importing investment data.

In addition to TurboTax, Intuit makes the Quicken and QuickBookaccounting software.