Etsy confirmed a privacy breach impacted about 1,500 sellers. The incident was caused by human error and was not related to any hacking or website vulnerability.
The incident occurred on January 30, 2018, when an Etsy seller requested a copy of their 2016 federal 1099 tax form. Etsy sent a letter to the sellers who were affected, explaining, “While providing that information to the Etsy seller, your Etsy 2016 federal 1099 tax form was inadvertently disclosed to the seller. The seller reported the incident to us, and our security team confirmed with the seller that the information was deleted from the seller’s system the same day. We have no reason to believe that the information was misused in any way.”
Etsy published a more general post disclosing the incident on its message board on February 13 and told sellers who received a letter and had questions to reach out to its support team at Etsy.com/help/contact or through the phone number provided in the letter.
Form 1099 is sent to any individual or business for whom Etsy processed payments of $20,000 and 200 transactions, as well as to the IRS and to certain states that require payment processors notify them as well.
The form contains the tax identification number (TIN) of the payer (in this case Etsy) and the payee (in this case, sellers). In some cases, sellers (particularly low-volume sellers) use their social security number as their TIN. We have a follow-up question in to Etsy about whether it used the full social security number on 2016 forms, or just the last 4 digits.
An Etsy spokesperson confirmed that the company is offering the sellers who were impacted by the incident free access to AllClear Identity Repair for 36 months.