H&R Block Data Breach Affects 23,067 Clients Exposing Social Security Numbers

On August 9, 2024, HRB Tax Group, Inc., the parent company of H&R Block, discovered a significant data breach that potentially exposed sensitive personal and financial information of 23,067 individuals across the United States. The breach occurred between May 13, 2024, and August 7, 2024, during which an unauthorized third party gained access to certain client accounts and MyBlock accounts.

The company determined that the attackers used personally identifiable information (PII) obtained from sources outside of H&R Block to infiltrate the accounts.

The investigation revealed that the compromised data included:

• Names
• Social Security numbers (SSNs) or Individual Taxpayer Identification Numbers (ITINs)
• Government-issued identification numbers
• Financial account information (e.g., account numbers, credit or debit card numbers)
• Dates of birth
• Information contained in tax returns

The breach had a nationwide impact, with 640 individuals affected in Texas and 24 individuals affected in Maine. For more details, you can view the Maine Attorney General's disclosure and the Texas Attorney General's disclosure.

The company completed its investigation on November 6, 2024, and began notifying affected individuals via written U.S. mail on November 26, 2024.

HRB Tax Group's Response

In response to the breach, HRB Tax Group, Inc. took immediate action to investigate and mitigate the incident. The company engaged a third-party cybersecurity firm to assist with the investigation, terminated the unauthorized access, and implemented additional measures to prevent similar incidents in the future.

To support affected individuals, H&R Block is offering complimentary identity theft protection services through IDX, a ZeroFox company.

These services include:

• 24 months of credit and CyberScan monitoring
• A $1,000,000 insurance reimbursement policy
• Fully managed identity theft recovery services

Affected individuals can enroll in these services using the unique enrollment code provided in their notification letter.

Are you affected by the data breach?

If you received a notification from H&R Block regarding this breach, it is essential to take proactive steps to protect yourself and your family from potential identity theft or fraud. Here’s what you should do:

1. Enroll in the free identity protection services: Use the enrollment code provided in your notification letter to sign up for IDX’s identity theft protection services. Visit IDX's enrollment portal or call 1-866-828-4512 for assistance.
2. Obtain an Identity Protection PIN (IP PIN) from the IRS: This six-digit number can prevent unauthorized individuals from filing a tax return in your name. Learn more and apply for an IP PIN at the IRS's IP PIN page.
3. Monitor your credit and financial accounts: Regularly review your bank statements, credit card activity, and credit reports for any suspicious activity. You are entitled to one free credit report annually from each of the three major credit reporting agencies at AnnualCreditReport.com.
4. Consider placing a fraud alert or security freeze on your credit files: Contact Equifax, Experian, or TransUnion to add a fraud alert or freeze to your credit report. This can make it more difficult for identity thieves to open accounts in your name.
5. Be vigilant for phishing attempts: Scammers may attempt to exploit this breach by sending fraudulent emails or calls pretending to be H&R Block or other trusted entities. Avoid clicking on suspicious links or providing personal information to unknown sources.
6. Report any signs of identity theft: If you suspect fraud, contact IDX immediately for assistance. You can also file a report with the Federal Trade Commission (FTC) at IdentityTheft.gov or your local law enforcement agency.