Cyber Security Breach Exposes Millions in South Carolina
The words “shocking” and “unprecedented” come to mind – even from a cyber security attorney. South Carolina’s Department of Revenue suffered a massive cyber security breach that exposed 3.8 million tax returns. The data retrieved from those tax returns included full social security numbers and bank account information. When reading about how easy it was for the hacker to gain access to this information, it is as disturbing as it is shocking that South Carolina was so careless in protecting its citizen’s information. Now millions of South Carolina taxpayers could see their personal information sold to worldwide criminal syndicates, have their credit histories ruined, and suffer a headache that could last a lifetime. For that pain, South Carolina is offering one free year of credit monitoring (at a cost of $12 million to the state government) and released an information sheet.
The attack, which is suspected to have originated from Russia, used a fairly simple method for obtaining data (which South Carolina foolishly failed to encrypt – though that is unsurprising based on the age of its IT infrastructure). According to a report prepared by Mandiant, a cyber security firm hired to review the breach, the attacker used a basic phishing scheme. Simply, the hacker sent an e-mail containing a link that a Department of Revenue employee clicked on. This had the effect of downloading a virus undetected that enabled the hacker access to the full credentials possessed by that employee. After the hacker conducted some reconnaissance in South Carolina’s systems for a few days (still undetected), he or she began downloading treasure troves of data. Because it was not encrypted, the hacker was able to get the information unfettered.
South Carolina Governor Nikki Haley acknowledged the inadequacy of South Carolina’s protection of its citizens admitting that “[w]e were a cocktail for an attack.”