woman comparing a paper form with her laptop screen

Tax preparation firms shared sensitive information with Meta

A group of seven US senators has sent a letter to the heads of the IRS, the Department of Justice, the Federal Trade Commission and the IRS watchdog, revealing that they have found evidence that reveals “a shocking breach of taxpayer privacy by tax prep companies and by Big Tech firms.”

According to the letter, information about tens of millions of US taxpayers was sent by three tax preparation firms to social media giant Meta. The letter asked the agencies to immediately open an investigation.

The tax firms used Pixel code on their websites to track and improve their media campaigns. Pixel is an integral part of Meta’s tracking infrastructure which collects data about people online. Data which is eventually used for targeted advertising, tailored content recommendations, and to train its algorithms.

The Pixel code is freely available and designed to help both the website owner and Meta. The code gathered information like names and email addresses, but also more detailed information, including data on users’ income, filing status, refund amounts, and dependents’ college scholarship amounts.

Despite what you might expect, it doesn’t matter whether the person using the tax filing service has an account on Facebook or other platforms operated by Meta.

One of the tax preparation firms stated that they used the Meta Pixel to deliver a more personalized experience for their customers.

“We did NOT know and were never notified that personal tax information was being collected by Facebook from the Pixel.”

Meta, on the other hand stated that it feels it has been clear in its policies that advertisers should not send sensitive information about people through its business tools.

“Doing so is against our policies and we educate advertisers on properly setting up Business tools to prevent this from occurring. Our system is designed to filter out potentially sensitive data it is able to detect.”

With both sides agreeing that this should not have happened, we wholeheartedly agree, but it does not explain why it happened anyway.

The problem was flagged earlier by the Markup. We reported about their Pixel Hunt project in January of 2022. The Markup also found Google’s analytics tool on one of the tax preparator’s  websites, but that didn’t send out any names, although it did send some of the financial information to Google.

The three tax preparation firms mentioned in the letter are H&R Block, TaxAct, and TaxSlayer. The information gathered on the websites of these firms has been sent to Meta over the course of at least two years.

If you don’t want your information to be gathered and shared by trackers, you can use solutions like Malwarebytes Browser Guard, a browser extension that, among others, blocks third-party ad trackers.


Malwarebytes EDR and MDR removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

ABOUT THE AUTHOR

Pieter Arntz

Malware Intelligence Researcher

Was a Microsoft MVP in consumer security for 12 years running. Can speak four languages. Smells of rich mahogany and leather-bound books.