> I am very doubtful that Intuit or H&R Block, for example, invest in security sufficient to protect themselves against that level of attack.
I can't speak to H&R Block, but I used to work for Intuit and I can attest that they took security very seriously. We were often subject to extreme security precautions despite the fact that the application I worked on didn't have any PII and the entire purpose of it was to make the information in our database available to the public and search engines. The rationale for forcing us to comply with the corporate security policies was that any breach of any Intuit service would be damaging to the Quickbooks and TurboTax brands. One of the reasons I left was because of the frustration with security compliance. The organization is incredibly slow moving on everything because the people in charge of security basically have carte blanche to shut down or delay projects until they've been properly screened. Intuit also doesn't cheap out on hosting either. I heard an internal rumor that they were spending $40m/yr serving TurboTax, and that didn't count the construction of the two dedicated data centers that they had built in previous years.
Whether their security is good enough to defend against a state-level adversary is hard to say, but my personal guess is that if you wanted to get at tax returns, it'd be easier for attackers to target the IRS directly, both because it'd probably be easier and you'd get access to the returns of 100% of Americans rather than just the percentage of Americans who use TurboTax Online. Keep in mind that most high-net-worth individuals don't use these online tools and, instead, have accountants and lawyers who prepare their returns.
Where Intuit has been vulnerable in the past has been in accepting fraudulent returns. For a while, you didn't need much more than an SSN and a few pieces of personal information to file a tax return, so identity thieves would file returns that had the highest possible refund and make off with that money. But that's not really a breach and I know they worked with the government in addressing that problem and I haven't heard much about it since.
The above mentioned security. The workload, which has two spikes in January and April, moderate traffic in between and is basically non-existent April through December is pretty much the poster child for cloud since you could spin down capacity in the 8 months where you don't see much traffic. This is why Intuit has publicly stated that they want to go all in on AWS. But, at least when I was there, the internal security teams were making it very difficult to get cloud deployments approved. I know they were working closely with Amazon engineers to fix/design solutions to the gating security concerns, but I have no idea how far they've gotten.
But when you look at the money involved, you can see why Intuit is moving so slowly and is willing to continue to spend on its own data center. $40m/yr may sound like a lot of money, but when your product pulls in $3b/yr, it's a rounding error. And the data centers aren't dedicated to TurboTax...Quickbooks and a few other products run there too. And I have to say that, for certain services, I think you get a lot of piece of mind from not sharing and having your own data center. Take, for example, Intuit's service for scraping data from financial institutions (FICDS). It powers Mint, Quickbooks and TurboTax and is required to store login credentials for people's banks, retirement accounts, brokerage accounts and such. Needless to say, the security of such a service is paramount and there's no way that I'd ever entrust my banking credentials to any service hosted in the cloud. You just can't get the same level of security you can get when you've got physical control over your hosting.
I can't speak to H&R Block, but I used to work for Intuit and I can attest that they took security very seriously. We were often subject to extreme security precautions despite the fact that the application I worked on didn't have any PII and the entire purpose of it was to make the information in our database available to the public and search engines. The rationale for forcing us to comply with the corporate security policies was that any breach of any Intuit service would be damaging to the Quickbooks and TurboTax brands. One of the reasons I left was because of the frustration with security compliance. The organization is incredibly slow moving on everything because the people in charge of security basically have carte blanche to shut down or delay projects until they've been properly screened. Intuit also doesn't cheap out on hosting either. I heard an internal rumor that they were spending $40m/yr serving TurboTax, and that didn't count the construction of the two dedicated data centers that they had built in previous years.
Whether their security is good enough to defend against a state-level adversary is hard to say, but my personal guess is that if you wanted to get at tax returns, it'd be easier for attackers to target the IRS directly, both because it'd probably be easier and you'd get access to the returns of 100% of Americans rather than just the percentage of Americans who use TurboTax Online. Keep in mind that most high-net-worth individuals don't use these online tools and, instead, have accountants and lawyers who prepare their returns.
Where Intuit has been vulnerable in the past has been in accepting fraudulent returns. For a while, you didn't need much more than an SSN and a few pieces of personal information to file a tax return, so identity thieves would file returns that had the highest possible refund and make off with that money. But that's not really a breach and I know they worked with the government in addressing that problem and I haven't heard much about it since.