TurboTax, Owner of QuickBooks, Under Fire for Leaking MailChimp Data

A little-known data breach at Intuit’s marketing email service has raised concerns about security protocols at its more established companies like TurboTax, QuickBooks and Credit Karma, The Post has learned.

Intuit, a sprawling, publicly traded business software empire with a $110 billion market cap, admitted last week that 133 accounts using its MailChimp site had been hacked. The company did not say who was responsible.

While the number of hacked accounts is relatively low, sources say many were used by clients who run businesses with hundreds of thousands or even millions of emails on their lists.

Last March, MailChimp confirmed that hackers had accessed information about 102 of its customers’ accounts. A month later, a class-action lawsuit was filed against Intuit by clients of the Trezor crypto wallet, the company that used MailChimp.

Trezor customers in the pending lawsuit, including one who says he lost $87,000, allege that Intuit did not take “adequate and reasonable measures to ensure the protection of its data systems.”

Late last month, reports surfaced that several key email services, including MailChimp, could be at risk from a larger cyberattack. MailChimp, according to a posting on the company’s website, said it did not detect any issues until January 11th.

Customers complained that they were warned the next day that their accounts had been compromised, but were told that MailChimp allegedly did not provide them with the tools to respond to a data breach or even provide a phone number to call.

“Intuit’s business is all about data security… what’s going on here?” one furious CMO whose email list has been compromised told The Post. “It’s a huge black eye for Intuit because you’re going to question their entire system.”

Intuit did not respond to The Post’s request for comment on Tuesday.

Lawyers fear the hack could signal more serious problems at other Intuit companies.

“While MailChimp can be considered a boring and sleepy company, it is part of the Intuit portfolio,” former SEC lawyer Ron Geffner told The Post. “Have they implemented the same policies and procedures across all portfolio companies? Is this a back door to the parent company?”

“Is this isolated or does it indicate other issues the company is facing with regards to cybersecurity?”

In 2021, TurboTax reported that hackers had gained access to some of the financial and personal data of customers. The company said at the time that this was not “an Intuit system data breach”.

“A single incident raises fewer questions,” adds Geffner. “Multiple failures raise the question of whether they were caused by a company failure and whether the same failures resulted in multiple breaches.”

Lawyers told The Post that MailChimp could also face millions of dollars in fines from regulators including the Consumer Financial Protection Bureau, the Federal Trade Commission and several states after customer data was compromised.

MailChimp will have to prove to regulators that it has adequately protected customer data. Even if MailChimp does provide adequate customer protection laws, experts say, it will likely have to compensate customers and their customers for the lost time and money associated with a security breach.