The company says its use of customers' Social Security numbers in package tracking IDs was an unprecedented mistake and will not recur.
Some H&R Block customers who received free copies of the companys TaxCut software also had their Social Security numbers exposed, according to a company spokesperson.
H&R Block sent a letter to customers in late December saying that a tracking number used on packages containing TaxCut contained the customers Social Security number as part of a unique, 47-digit tracking number.
H&R Block blamed user error for the slip and said the number would be impossible to spot, and that no customer data has been lost or stolen as a result of the mistake, according to Denise Sposato, a spokesperson for H&R Block.
H&R Block learned of the slip-up in late December, after a customer informed the company that a unique ID that appeared on the package, above the mailing label, contained his or her Social Security number.
The number is used by H&R Blocks marketing department, Sposato said.
After learning of the mishap, H&R Block moved quickly to identify the source of the error and customers who were affected by it, Sposato said.
For advice on how to secure your network and applications, as well as the latest security news, visit Ziff Davis Internets Security IT Hub.
The Kansas City, Mo., company said it believes that less than 3 percent of those who were mailed a copy of TaxCut had their Social Security numbers used.
Sposato declined to say how big the mailing was or to provide an estimate of how many of the companys current and former customers were affected.
Sposato said the incident was an accident and "completely contrary to established procedure" at company, which makes its money helping individuals prepare and file tax returns.
Social Security numbers are not used to track other mailings, nor are they used to derive the unique tracking numbers used on mailings, she said.
Congress approves a bill requiring that customers be notified of data breaches. Click here to read more.
H&R Block informed customers of the mistake in a letter, and set up a Web page on the companys site with information for those whose Social Security numbers were disclosed.
H&R block feels the risk of identity theft is minimal, Sposato said.
This is the first year that H&R Block mailed the TaxCut software to current and former customers. Some of those receiving the tax preparation software have not used H&R Block for a year or more, Sposato said.
H&R Block has notified its compliance officer about the problem, but declined to say whether authorities or federal regulators were informed of the information leak.
The news from H&R Block is just the latest in a long string of disclosures of corporate data leaks.
Just last week, Marriott Vacation Club International, a division of Marriott International Inc., said computer backup tapes with information on more than 200,000 customers disappeared
from the companys Orlando, Fla., offices. The tapes may contain credit card numbers, Social Security numbers and addresses of customers of the timeshare property business.
Data privacy will be a top issue for federal lawmakers in 2006. The U.S. Congress will consider a federal data breach notification law next year, in addition to new regulations aimed at spyware programs.
Check out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.