QuickBooks Tip / Security Concern: Did you Know You May Be Syncing Sensitive Financial Information with Intuit Servers?
Intuit Sync Manager may be syncing QuickBooks data (including sensitive financial data like Social Security numbers and customer credit card information) to Intuit servers without your knowledge. Read this article for details and recommendations to protect your sensitive financial information.
This may be a security concern for QuickBooks users who do not want to sync sensitive financial information with Intuit Servers. It should be a bigger concern for CPAs, Chartered Accountants and other accounting professionals. We are usually required to keep client information confidential and secure according to the AICPA, state laws or other regulations. If client data will be shared with third parties (i.e. Intuit’s servers), we should have consent from the client in an engagement letter or privacy notice.
Additionally, some clients are adamant about NOT having their financial information ‘in the cloud.’ They may be very upset to discover their data is syncing to Intuit servers. Please read this article to determine whether QuickBooks files are syncing with Intuit servers and how to turn it off if desired.
Overview of Intuit Sync Manager
Intuit Sync Manager syncs QuickBooks data from the file on your PC to Intuit Servers. This is great if you decide to subscribe to an app from Intuit or third party vendors in the App Center. This is what a knowledge base article says about Intuit Sync Manger (with emphasis added): 
Intuit Sync Manager synchronizes your QuickBooks company file data with Intuit online services and third-party developed applications that you may subscribe to. To make it easier for you to use these connected services, Intuit Sync Manager is installed when you install QuickBooks, however it will not sync your file unless you set it up to do so.
When you subscribe to any of the services on the Intuit App Center that require access to your QuickBooks company file data, you need to set up your company file for sync.
However, “it will not sync your file unless you set it up to do so” appears to have changed somewhere along the way and this concerns me. I’m not a techie and I admit I do not fully understand the details surrounding Intuit Sync Manger. Please provide additional details or clarification in the comments to this article below.
QuickBooks 2012 Files
The default for Intuit Sync Manager appears to be set to sync data including sensitive financial information. When I create a new file with QuickBooks Accountant 2012, it doesn’t ask about syncing the file yet the sync manager is turned on and set to sync sensitive financial information.
In existing QuickBooks 2012 files with no app subscriptions, no payroll subscriptions. no Intuit Merchant Services or other apparent reasons to sync with Intuit servers, the Intuit Sync Manager preference is turned on including to sync sensitive financial information as shown in the image below. We don’t know how this was turned on.
I suspect Intuit needs to sync to confirm license registration, QuickBooks updates or other acceptable reasons. My primary concern is that Intuit Sync Manager also enables it to sync “Social Security numbers, customer credit card information, and other personal data.”
I think it is on by default (in QuickBooks Accountant 2012) because I cannot determine where it asks if you want to sync the file. Intuit’s support article indicates it “is installed when you install QuickBooks, however it will not sync your file unless you set it up to do so.” This doesn’t appear to be working as described.
Changes in QuickBooks 2013
Just like with QuickBooks Accountant 2012, when you create a new file in QuickBooks Accountant 2013 (QuickBooks Pro and Premier are different and discussed next), the file will be set up to sync with Intuit servers, including sensitive financial information as shown in the above image.
In QuickBooks Pro or Premier, 2013 (not QuickBooks Accountant as discussed above), when a new file is created, you need to create an Intuit account by entering your name and email address. You should un-check the box (see below) if you do not want to sync the data file with Intuit Servers.
Recommendation for Intuit
Please change it back to “it will not sync your file unless you set it up to do so.” The default should be to NOT start syncing the file unless we opt-in (not opt-out) especially where sensitive financial information is concerned!
Recommendations for Users and Accounting Professionals
Change the preference for Intuit Sync Manager if you do not want to sync your data or sensitive financial information. To do this: Edit > Preferences > Integrated Apps > Company Preferences > Intuit Sync Manager > Properties and un-check the boxes. NOTE: this should stop it from syncing in the future but your data has probably already been synced to Intuit’s servers.
For accounting professionals, make sure your privacy policy or engagement letters are updated with appropriate wording to cover sharing data with third parties.
Share Your Comments
Do you think this is an important issue for you or your clients? Do you have additional information or insights on how Intuit Sync Manager is working on other QuickBooks files? Do you agree that it should be opt-in as the default? I can share your comments with Intuit Product Managers next week at The Sleeter Group’s Accounting Solutions Conference.
UPDATE: Apparently it isn’t really syncing the data as it appeared. This was posted by Alex Chriss – Director, Intuit Partner Platform in the comments:
Hi Michelle and all. We appreciate the feedback and the discussion here. I think we caused some confusion with some poorly worded screens, so please allow me to clear it up.
First, Intuit does not sync company file data to our servers without explicit approval from customers. The preference setting you have screenshots for is actually a setting that tells Sync Manager WHAT to Sync IF it is explicitly enabled. By default, we give Sync Manager (“the app”) permission to sync data only IF the user explicitly turns it on.
In QuickBooks versions prior to 2013, the user would have to explicitly go through the sync setup flow to turn ON sync manager and move data to Intuit servers. In QuickBooks 2013, we’ve simplified this setup flow to enable easier access to integrated applications – and allow the user to activate (or not) sync during the creation of a company file – but it is still an explicit decision by the user.
Clearly we could do a much better job with our wording and explaining what’s happening here but I want to assure you that we take our customer data and preferences very seriously. QuickBooks customers have full control to decide whether to sync their file or not.
One change we are investigating, per the comments in your post, is changing the default setting of a new file creation in the Account Edition from opt-out to opt-in for added transparency.
Alex Chriss
Director, Intuit Partner Platform
Tags: news, QuickBooks, Tips & Tricks
[RSS]
[Comments]
Michelle L. Long, CPA is the owner of Long for Success, LLC specializing in QuickBooks consulting & training, coaching small business owners, speaking and writing. She was named one of ‘10 Women who Inspire a Profession’ by Accounting Today and a Financial Services Champion of the Year by the SBA. She has been mentioned in the New York Times, Inc.com, Business Week, Investor’s Business Daily, WebCPA and more. Michelle is the author of Successful QuickBooks Consulting and How to Start a Home Based Bookkeeping Business.
Want to get all the latest news? Subscribe via e-mail or follow me online:
E-mail addresses are kept confidential.
Comments
33 Responses to “QuickBooks Tip / Security Concern: Did you Know You May Be Syncing Sensitive Financial Information with Intuit Servers?”
Leave a Reply
Social Media
Michelle, this won’t be tied in with license registration or QuickBooks updates. Those are totally separate from the Sync Manager itself (although your Intuit “account” is tied to registration as well as the Cloud copy of your data).
Sync Manager is solely a way to get your company file data in to the Cloud servers so that they can be accessed by third party products. Note that these products can’t get to the data unless you specifically set them up, even with this auto sync feature.
Nonetheless, your data is being stored by Intuit without your express permission, if this is the case. That is NOT acceptable. You should have to opt in, as we have in the past.
Since that notification doesn’t show up in the ProAdvisor copies, many reviewers (including me) weren’t aware of this change in the 2013 product.
THANK YOU for bringing this to our attention!
Thanks for making us aware of this Michelle. I set up a test company in my Accountant’s 2010 and it is doing the same thing. Automatically turned on. Same thing in Enterprise 11. Can’t wait to hear what Intuit has to say about this.
I checked a 2010 file on this machine and those settings are also selected. I wonder when they changed things….
I agree with you 100% that this is not something that we should have to Opt-out on. IF this is a recent change then we should have been prompted to select the setting that suits that particular company.
It is also automatically turned on in QuickBooks Accountant 2011. I’m checking all of my company files and turning it off. Please keep us posted as to what you find out from Intuit. Have a good conference.
Thank you all for your comments and what you found looking in your files with different QB versions.
Charlie — thanks for the clarification about the updates and license info.
I keep thinking that maybe I’m missing something or don’t understand it fully since I’m not a techie. If so, hopefully someone from Intuit will clarify it for me and I’ll have to write a ‘retraction’ about why I was wrong.
Amazing! Intuit takes it upon themselves to access our confidential client data for their profit.
There should be a notification for an implicit opt-in or opt-out.
What happens if their is a breech on Intuit servers, will we be notified? Who is liable to our clients?
I have been looking at alternative accounting systems. Looks like Intuit just made the decision for me.
Kenneth – thanks for sharing your concerns. I have questions too. If I create a QB file for a client, they restore it on their computer with the preference to sync on. Now their data is syncing with a third party (Intuit servers). What is my liability and exposure?
I am surprised this has been syncing without our knowledge or consent. It seems like a major privacy issue to me.
A lot of your financial data is already in the “cloud”, with banking and credit card info. And, as accounting program technology moves forward it is more and more likely that your data is going to be on someone’s server. Intuit’s data centers are very, very secure.
The issue to me is mainly that they changed a policy without notifying us, apparently. We should have had the option to decide if we want this done.
This is a major concern! I do not want to change my privacy policy! I do not want ANY information shared with third parties! Even if I am using a payroll service and direct deposit of payroll checks for a client, I do not want any information shared with third parties! That is my policy!!!!!!! Thanks Michelle. Please keep us updated on this.
Another thought would be credit card information. I have to complete a compliance questionnaire every year indicating that I am NOT keeping cardholder information on file thus protecting that information from being accessible to ANYONE. Wouldn’t this be in violation of that compliance issue?
Thank goodness I still have QB2005, desktop program, as the only QB with which I work. I find it appalling that Intuit has compromised the private data of all you other people’s clients, and worse yet, apparently nobody discovered this privacy breach until Michelle Long just tested the 2013 program now.
Maybe someone should sue Intuit for breach of privacy.
I just logged into my company file in QBES 2012. This doesn’t appear to just apply to the Intuit Sync Manager.
It appears that after installing 2013 there has been a change in my 2012 Integrated Applications screen (I would never have thought that was possible and would not have looked at this in 2012 without your prompting Michelle – thank you!)
Now the Company Tab of the Integrated Applications Preference shows Business Planner, Cash Flow Projector, Intuit Statement Writer, Intuit Sync Manager, Loan Manager, QuickBooks Client Manager, QuickBooks Financial Statment Designer, and QuickBooks Fixed Asset Manager. ALL of these were set to “Allow this application to access Social Security Numbers…………….”
I feel this is just another knife in the back from Intuit. I have disabled sync several times and it keeps getting turned back on, and with the default being Share SS#s!! I have found this in files from 2009 – 2012. I do not use any apps. This is completely against my privacy policy and a Circular 230 violation. This may be the last straw with Intuit, I will have no problem moving all of my clients to Peachtree. Once again, Intuit has forgotten that they are partners with CPAs and EAs, and that we help them as much as they help us.
Try unchecking the box in the Integrated Applications Preferences that says
“Allow this application to read and modify this company file.”
(See the screenshot in Michelle’s article)
For normal integrated applications, unchecking the box prevents the integrated application from seeing the data in the QuickBooks file. But QuickBooks, in this case, may just re-checkj the box.
Karl -
Here’s one of my beefs… One file in particular, I KNOW I have checked to not allow syncing, when I checked it yesterday, the sync was unchecked, but Another sync line (app) was there (which leads me to believe it was re-installed) and that sync had the default checked. So, does it matter that I went in during set-up and said NO, do not allow access, if it is just going to over-ride my decision during an update or whatever, and then use the bogus defaults. The file I am discussing is 2010.
As a CPA, I find this news very disturbing, both for the client confidentiality rules I am bound by as well as credit card data security standards that my clients are bound by. I cannot fathom why Intuit would ever even need any of this information, unless a company is using them for their credit card processing.
I guess it’s time to ask for a type 2 SSAE 16 report.
Is it possible that the sync must be on to do updates? If so everytime you allow an update you are allowing it to sync up and then would have to go in manually and turn off the sync again?
I agree this can be a very unerving problem. However I include in my engagement letters that information may be shared with 3rd parties for tax preparation or accounting to complie with electonic filing requriements. Since I do e-file tax returns – have to use Proseries servers to get to IRS. With QB when I e-file payroll taxes and documents I am using QB servers for payroll. How else do you think you can e-file these if you aren’t using them?
Just saw article in Proadvisor Newsletter that came out yesterday by Accounitning industry pro Darren Root about sync up with your clients in the cloud. I just asked this question as a comment on this arcticle and the concerns expressed in Michelles article and the comments above. Will let you know his reply. Maybe Michelle can post a link, as I can’t do it within this reply (not allowed)
Rebecca the ProAdvisor Newsletter is for ProAdvisors only so not everyone may be able to read it, but here is the link.
Working ‘in the cloud’ is definitely an opportunity to collaborate and work with clients. Plus there are many cloud based apps which can help improve productivity and efficiency. When people decide to work in the cloud, they are consenting to their data being in the cloud.
The issue I explained in the blog post is that the data is being synced to Intuit’s servers by default and without people’s consent or permission in many cases. Except — when a new file is created in QB Pro or Premier 2013, there is a box to opt out and not have the data sync. You don’t get the opportunity to opt out if the file is created with QB Accountant 2013.
Plus, somehow files in 2009 – 2012 are now syncing data (including SSNs and Customer Credit card #s) without the QB user’s consent or permission.
I think this is wrong. People should have to provide their consent and permission for the data to sync. It should be opt-in and not opt-out. And whatever turned on the syncing in 2009 – 2012 files should be changed to turn it back off. Let people opt-in if they choose to do so.
Now, the question here is if you are ‘sharing your data’ with Intuit, or merely syncing to their servers.
From what I can tell in a brief perusal is that they don’t keep data in any meaningful fashion that can be used other than by you. They say it can’t be used to restore Quickbooks, etc, so it’s not the whole of your data.
There were similar concerns after Google changed their TOS on data storage for their new service Google Drive.
I imagine it keeps turning ‘itself’ on because for some of you because you’re using a service that requires it. You have to find the service and disable that, then you can disable the syncing once and for all.
All said, you are not giving your data to a third party, from what I can see but I will research further. It should be encrypted and I can’t tell as of yet if the transfer of data is encrypted and with what encryption protocol is used.
Furthermore, this upset is almost laughable compared to some of the no-nos I’ve seen go on at a CPA office.
- Using Google email (You are generally sharing your data with Google, while anonymously, still sharing)
- Leaving the wireless network set up at default settings (or worse, letting Geeksquad/outsourced IT set it up)
- Using Internet Explorer
- Not using a separate malware scanner
- Using the wrong anti-virus/malware setup
- Skipping Windows/web browser/software updates
- Poor shredding habits
- Unsecured filing cabinets
I fully support working in ‘the cloud’ and services such as Dropbox for backup of my personal files. For business, you need a VPN, or Virtual Personal Network. This is used by most larger companies but is easy and inexpensive to get a setup of your own with redundancy servers.
Backing up the file to media or making separate copies is just not a good backup strategy. The backups can fail, the discs can get scratched or damaged and generally people keep them in the same building. More than computer failure can eat your data. There’s always fire, flooding, etc.
Many CPAs and bookkeepers can’t understand a RAID server, must less know how to set one up and maintain it. I built one from scratch and I still wouldn’t use it for my backups. I play games on mine. I store offsite and do so securely with encrypted transfers. I tell my clients this up front and if they have a problem, then they are welcome to take their business elsewhere.
This has never proven to be a problem for my clients, instead it’s gotten me some work setting up their networks to be more secure.
[Copied from LinkedIN]
“Intuit ensures the highest levels of security to meet or exceed financial industry standards. We adhere to SSAE 16 Type II and Visa Payment Card Industry (PCI) compliance. Intuit also supports several Multi-Factor Authentication (MFA) techniques by working with vendors like RSA and the Open Financial Exchange (OFX), of which Intuit is a founding member, to meet your compliance and security requirements.”
Michelle, liability/guarantee/rest-assured-we-are-professional-and-care-alot statements like that one of Intuit’s, are much like the “Your call is very important to us” recording we all get while enduring an extended session on hold, in a telephone call.
In other words: it’s not worth much. The larger the database, the greater & more tantilizing the “prize” it becomes in terms of harvesting private information. Do the headlines ever say “Man has Identity Stolen Due to Poor Data Security at Mom & Pop Grocery Store”? No, we read that 250,000 people may have had their data compromised at a large credit card company, etc.
So where does this leave Laura, and the rest of us, if we handle client data? We can regurgitate Intuit’s security statement to our clients, but does that make us feel any more secure? And in terms of liability, many accounting professionals put themselves in the position of *representing* to the client that their data is secure. Despite terms of service letters we might send out to a client stating that we are not ultimately liability for breaches in data security which are out of our pervue, we are the ones likely to lose a client–or at least, the client’s trust–if there is a security breach.
Sorry if this may sound exteme, but this is one of my hot button topics and I think these questions are valid. I tire quickly of everyone telling me how “safe” my data is, and I will never have the blind faith required to fully trust that Intuit or anyone else is handling my data securely. Sure, Intuit (or many others) may be as diligent and professional as possiblle in handling my data. But as a software developer, I know how fragile that protection is. One mistake in one line of code by some obscure programmer, and there’s a data vulnerability.
Years ago I did a lot of work for a bank–a very trusted institution, and I still think they’re relatively good in terms of security. But due to the work I did, I got to see “the back side of the circus tent” (where all the electric cords and ropes and elephant poop is), and I know that security depends on a *lot* of people all doing their job diligently, and not having any mental or physical breaches of protocol, etc., and that everyone slips up at some time. (Given the historic uptime problems and pure services outages–lengthy ones–of QuickBooks Online, how much should I trust that Intuit is not asleep at the wheel, in some way?)
This is something all of us have to figure out, with respect to our data stored “somewhere” in the cloud.
I’m saddened for sure like the rest of you. In doing payroll, of course we need to have the Social Sec # and birth dates and all that …. so let’s just open the door to identity theft.
So here are my questions:
1) For those that are doing online payroll (epay and efile) – does the Intuit Sync manager need to be on?
2) if you use the Intuit online backup – does the Intuit Sync manager need to be on?
I want to assume No since they are not Apps as I understand Apps, or 3rd party elements.
Please let me know and I will share this information with my clients. Thanks!!
Michelle, Thank you so much for this very valuable information. I SO appreciate your willingness to share the results of your research and your vast knowledge of QB.
Responding to Lori Hammond: The kinds of applications you list, that you are also seeing in your Integrated Applications preference, are all local programs on your computer. These are not pushing data into the cloud, you have control over them. I personally don’t see an issue with these having that option selected (but you can turn that option off if you wish). Intuit Sync Manager is pushing your data to the Cloud, so that is a quite different issue.
As Karl Irvin says, you can disable this yourself. You have control. The big issue is that it is being done stealthily.
Mark Wilsdorf: I do believe that Intuit has an excellent track record for being secure, but I understand your point. And, yes, in Sacramento last year we DID have a big headline about credit card info being stolen from a local store, exposing people to fraud (not a Mom and Pop per se, but a local restaurant). So it can happen. Again, my concern is that this is not being done with consent. If you are OK with this info being in the cloud, fine. If you are not, that should be your choice.
When you use QuickBooks Online (which is not what we are talking about here) you sign a use agreement that includes statements that you allow Intuit to use your data “in the aggregate”. I haven’t found the use agreement for Intuit Sync Manager, does it have the same statement? If Intuit does this by stealth, we haven’t “agreed” to that. Unless that is buried in the QuickBooks user agreement (I haven’t looked lately).
Cynthia, my apologies, I’m not sure I have the right answer for you. The LAST time I looked, Intuit Online Backup did not require the Sync Manager (I expect it still doesn’t) – that is not reading your data record by record as Sync Manager does. For the payroll products, I doubt that Sync Manager has anything to do with that as one of the problems with apps using that is the poor access to payroll info that they have.
Note, though, that “apps” can be Intuit Apps also, this isn’t limited to “third party” apps.
Hi Michelle and all. We appreciate the feedback and the discussion here. I think we caused some confusion with some poorly worded screens, so please allow me to clear it up.
First, Intuit does not sync company file data to our servers without explicit approval from customers. The preference setting you have screenshots for is actually a setting that tells Sync Manager WHAT to Sync IF it is explicitly enabled. By default, we give Sync Manager (“the app”) permission to sync data only IF the user explicitly turns it on.
In QuickBooks versions prior to 2013, the user would have to explicitly go through the sync setup flow to turn ON sync manager and move data to Intuit servers. In QuickBooks 2013, we’ve simplified this setup flow to enable easier access to integrated applications – and allow the user to activate (or not) sync during the creation of a company file – but it is still an explicit decision by the user.
Clearly we could do a much better job with our wording and explaining what’s happening here but I want to assure you that we take our customer data and preferences very seriously. QuickBooks customers have full control to decide whether to sync their file or not.
One change we are investigating, per the comments in your post, is changing the default setting of a new file creation in the Account Edition from opt-out to opt-in for added transparency.
Alex Chriss
Director, Intuit Partner Platform
Frightening! Especially for my payroll clients. I will be checking everybody’s settings asap!
HI everyone, I am over in the UK now, and don’t have all the details, but I absolutely KNOW (110%) that we have rigorous policies around the collection and use of sensitive data, and I take umbrage with people saying that it doesn’t carry any weight or mean anything in real terms. In fact, the policies are so strict that I as a Sr Manager could not have access to the building that the payroll team worked in, because of the fact that sensitive customer data passed through that building (on its way to tax returns and payroll forms etc and not for Intuit’s use). So I seriously doubt that we are synching your credit card data, or SSN’s etc, etc to anything that didn’t absolutely require it.
Additionally, we all have to take several hours of training (annually) to ensure we are kept up to date on Intuit’s policies around data privacy and security. I just took mine, which is why it is top of mind for me.
To help close this issue and reassure you, I have asked the US team to respond – I see that Alex Chriss has responded, but am also hoping someone from our data privacy and security team can comment so you can rest more easily.
thanks -
Alison Ball
Head of Accountant Programmes, Intuit UK
I found this option automatically turned on in the Business Planner, Statement Writer, and Financial Statement Designer, as well as the Sync Manager. I’m going through all of the copies of software I have, as well as all of my clients to make sure it gets turned off.
The Canadian versions have the same issue going all the way back to QB2009. Most of the files we have don’t use any of these apps. It is even checked for “Intuit Excel Addin” and Quickbooks Client Manager. The default on that box should be “unchecked”.
The point is not whether Intuit has proper security for data, the point is that we as licensed practitioners must have expressed written consent from our clients before sharing any information with a third party.
I dont use any of the online services in my 2012 Accountants Edition. Yet these preferences were set to ON. I certainly did not turn them ON. This is sloppy and sneaky on Intuits part. Defaults should be set to the highest security levels and allow users to go to the effort to turn them on. I never explicitly turned on anything in QB as Alex Chriss states of versions prior to 2013. Please explain how that happened? Right now, Im feeling very thankful that I run all my payrolls outside of Quickbooks and I dont use Intuit Merchant services. My QB doesnot have data that needs be secured from Intuit.
Once again you have brought something to our attention that will make us look like complete QB experts because regular users don’t sign up for your blog. Thanks!
This is one reason that as soon as a credit card transaction has taken place, I remove my client’s credit card information in my QuickBooks company file and advise my Seattle area clients to do the same if it is a one time transaction.