A little-reported data breach at a marketing email service owned by Intuit is raising concerns about security protocols at its better-known properties such as TurboTax, QuickBooks and Credit Karma, The Post has learned.
Intuit, a sprawling, publicly traded business-software empire with a market capitalization of $110 billion, admitted last week that 133 accounts using its MailChimp site were hacked. The company did not say who was responsible.
While the number of breached accounts is relatively small, many were used by customers who run businesses with hundreds of thousands or even millions of emails on their rosters, according to sources.
Last March, MailChimp confirmed hackers gained access to information on 102 of its customer accounts. A month later, Intuit was slapped with a class-action suit from customers of crypto wallet Trezor — a company that used MailChimp.
Trezor customers in the pending suit — including one man who says he lost $87,000 — claim Intuit did not use “adequate and reasonable measures to ensure that its data systems were protected.”
Late last month, reports surfaced that several key email services including MailChimp could be at risk as part of a bigger cybersecurity attack. MailChimp, according to a post on the company’s website, said it did not detect any problems until Jan. 11.
Customers complained they were alerted the next day that their accounts had been compromised but said MailChimp allegedly gave them no tools to respond to the data breach and didn’t even provide a phone number to call.
“Intuit’s business is all about data security… what’s going on here?,” one infuriated marketing executive who’s email list had been compromised told The Post. “This is a huge black eye for Intuit because you’re going to question their entire system.”
“Based on our investigation to date, this targeted incident has been limited to 133 Mailchimp accounts, and there is no evidence that this compromised customer data beyond these Mailchimp accounts.”
Legal experts fear the hack could signal bigger problems at other Intuit companies.
“While MailChimp might be considered a boring, sleepy company, it is part of the portfolio of Intuit,” former SEC enforcement attorney Ron Geffner told The Post. “Have they implemented the same policies and procedures at all portfolio companies? Is it a back door into the parent company?”
“Is this isolated or indicative of other problems the company faces with regard to cybersecurity?”
In 2021, TurboTax revealed hackers had accessed some of customers’ financial and personal information. The company said at the time it was not a “systemic data breach of Intuit.”
“An isolated incident raises fewer questions,” Geffner adds. “Multiple failures begs the question of whether it was due to a failure of the company and have the same failures resulted in multiple breaches.”
MailChimp could also be on the hook for millions in fines from regulatory bodies including the Consumer Financial Protection Bureau, the Federal Trade Commission and multiple states after customers data was compromised, attorneys told The Post.
MailChimp will have to prove to regulators it provided adequate protections for customer data. Even if MailChimp did provide adequate customer protection laws, it will likely have to compensate customers and their clients for lost time and money dealing with the security breach, experts said.