In what appears to be the largest cyber attack yet against a state government agency, hackers stole millions of documents from the South Carolina State Department of Revenue this summer. The stolen bounty includes almost four million social security numbers and over three million bank account numbers. Hackers stole the information by placing a 21st Century twist on an ancient sport: fishing. The incident likely began with a ‘phishing’ email sent to various state employees. ‘Phishing’ emails work by luring the recipient into clicking a link, thinking it will lead them to somewhere of interest. Unbeknownst to the user, the link actually embeds and installs software onto their computer, which allowed hackers to obtain their passwords and user-names.
So, what was exposed as a result of this security breach?
- 3.8 million taxpayers’ Social Security numbers
- 387,000 credit cards and debit numbers
- 700,000 businesses tax records
- 3.3 million bank account numbers and data
What could/should have the SC Department of Revenue done to prevent it?
- Upgrade its password protection to a dual-password system—this is the only solution the agency is currently addressing
- Encrypt ALL their data—this idea was rejected by the agency in 2006 because “cost ineffective” ($5 million) and not required by the IRS.
- Hire a new Cyber-security Officer—the position had been vacant from September 2011 to August 2012, just when the hacker stole millions of taxpayers’ personal data. Seriously, how many similar agencies and banks go for almost a year without a security guard?
- Train employees and top executives—the workforce in these institutions needs to be capable of implementing the programs, policies and strategies that can begin to address some of these cyber threats.
“No matter how good a technology is, if not used correctly by skilled employees who follow well-defined processes, vulnerabilities will surface that can be leveraged by both internal and external threat actors”
- Increase the number of vulnerability scans on the agency—quarterly vulnerability scans are currently run by a private contractor.
- Accept the offer of free breach-detection services from the state’s IT department— which the agency has reportedly declined before.
The Department of Revenue Director Jim Etter has appeared before Senate panels in the past two weeks to answer the multiple questions on the causes of the breach and demanded improved security procedures for the state’s computers. Etter will be resigning at the end of December.
As of today, the cost of the state’s response is estimated to be above $14 million and climbing. Other state tax agencies are now on high alert.
 Mathew J. Schwarts, “How South Carolina Failed to Spot Hack Attack,” InformationWeek, November 26,2012
“Booze Allen Announces Top 10 Financial Services Cyber Risk Trends for 2013”, Booz Allen Press Releases, November 29, 2012