Subscribe

SARS leak shows up deficiencies

Nicola Mawson
By Nicola Mawson, Contributor.
Johannesburg, 01 Sept 2011

A South African Revenue Service (SARS) database leak, in the middle of the tax season, is the second time the government organisation has exposed private information by accidentally e-mailing it to thousands of clients.

The incident shows the office lacks proper vetting procedures, and raises concerns that more sensitive information could be widely shared through electronic communication.

On Monday evening, human error resulted in the taxman sending an e-mail containing an attachment with 20 000 e-mail addresses to 20 000 employers. SARS says it is taking the matter seriously, and some staff members have been suspended, pending an investigation.

However, this is not the first time such a breach has occurred. SARS had a previous incident about a year ago.

ITWeb also revealed in May that the Direct Marketing Association of SA's (DMASA's) “do not contact” database had been leaked.

The DMASA incident put about 39 000 people at risk of identity theft. The association used to e-mail the registry to its 398 members, but has since implemented a secure online checking process.

SARS group executive Mark Kingon admits a similar breach occurred about a year ago, during which people's e-mail addresses were also compromised.

Kingon says the recent breach is relatively small compared with the “millions of clients” the service deals with. However, SARS threatens to go after anyone who uses the e-mail addresses for direct marketing purposes.

Could've been worse

About 200 000 companies are registered on SARS's electronic database. These are firms that file annual payroll reconciliations through its online e@syFile software system.

In addition, more than 10 million individual South Africans are registered on its database, although many of these fall below the tax threshold and do not file returns. Last year, it received more than four million returns from individual taxpayers, of which about 95% were submitted electronically, either personally or through a branch.

Kingon explains SARS was sending e-mails, in batches of 20 000, to about 150 000 companies to inform them about functionality related to income tax registrations. He says staff attached a file containing the addresses instead of the PDF letter.

SARS sends communications such as these out in batches of 20 000 to reduce risk, says Kingon. He adds that if a batch of 100 000 e-mails were sent, many more e-mail addresses would have been exposed.

In terms of the Income Tax Act, it is a criminal offence to disseminate any information relating to South Africans held by the service, says Kingon. However, he concedes that the office will not be able to trace whether the mailing list has been forwarded.

Despite that, Kingon warns SARS will lay criminal charges if it finds out that the database has been used for marketing or other purposes. “We will challenge [them]; it's a criminal offence.”

Kingon says “data integrity is critical for our business,” but it's ultimately a human who pushes the button. He says some staff members have been suspended pending an investigation, but will not disclose how many employers are affected.

Process failure

SARS proactively apologised to companies that were affected by the breach, says Kingon. The e-mailed apology asked people to “immediately delete this e-mail and its attachment,” referring to the mail containing the file with 20 000 e-mail addresses.

“The South African Revenue Service takes stringent measures to protect and safeguard the information of taxpayers, including their e-mail addresses. Unfortunately, these safeguards failed in this instance,” says the apology.

After the previous leak, stricter measures were put in place, says Kingon.

However, World Wide Worx MD Arthur Goldstuck says the leak could have easily been prevented and should not have happened in the first place.

Goldstuck says it is concerning that SARS has not learnt from its past experience, and the public will now be waiting for the service's next blunder. “The potential exists for more sensitive information to be put out there. That's the real danger, what happens next.”

Taxpayers should be concerned, says Goldstuck. He explains companies should always first test the mailing system before sending out a mass mail by sending the communication to a person internally for vetting. “It's basic best practice and it's also common sense.”

This applies to small and large companies, and will save them from embarrassment, says Goldstuck. He adds that automation is only as good as the processes behind it, and will show up any deficiencies.

“It would almost be amusing if it wasn't such a violation to see an organisation like SARS not have that process in place.”

Kingon says SARS is continuously looking at ways to improve its systems and processes. The office is looking at various options to prevent a repeat of the leak, he notes.

The tax filing season kicked off on 1 July. Non-provisional taxpayers have until 30 September to file manually, while those using eFiling have until 25 November. Provisional taxpayers who file electronically have until the end of January to submit.

Share