South Carolina breach exposes 3.6M SSNs
- 26 October, 2012 23:49
In the biggest data compromise of the year, Social Security Numbers (SSN) belonging to about 3.6 million residents in South Carolina have been exposed in an intrusion into a computer at the state's Department of Revenue.
Another 387,000 credit and debit card numbers were also exposed in the September attack, the state Department of Revenue said in a statement Friday. However, out of that number only about 16,000 of the credit and debit cards were unencrypted, the department added. The SSNs, meanwhile, do not appear to have been encrypted.
Anyone who has filed a South Carolina tax since 1998 has been impacted by the breach and will be offered one year of identity protection service from Experian. The service includes a $1 million identity theft insurance policy. (The state department has set up a Web page with contact information for people to call.)
"The number of records breached requires an unprecedented, large-scale response by the Department of Revenue, the State of South Carolina and all our citizens," South Carolina Governor Nikki Haley said in the statement. "We are taking immediate steps to protect the taxpayers of South Carolina, including providing one year of credit monitoring and identity protection to those affected."
The department said the data theft appears to have occurred sometime in mid-September. An ongoing investigation of the breach by security firm Mandiant shows that the perpetrators first made an attempt to break into the system and steal the data in August and twice again in mid-September. The hackers appear to have accessed the data during the mid-September intrusions, the department said in its statement.
The Department of Revenue first learned of the intrusion only on Oct. 10 after being notified about it by the S.C. Division of Information Technology. Federal and state law enforcement authorities were immediately informed about the breach and Mandiant was brought in the next day to begin remediating the situation. It is not immediately clear what systems were breached, or how.
Mandiant has closed the vulnerability that led to the intrusion and has finished installing surveillance and monitoring tools across the department, the statement added.
The breach is easily the biggest involving Social Security Numbers this year. The previous biggest loss of SSNs this year happened when hackers believed to be operating out of East Europe broke into a Medicaid server at the Utah Department of Health in March and accessed closed to 280,000 SSNs and close to 500,000 other records involving less sensitive personal data.
In that incident, hackers were able to gain access to the system by exploiting a default password on the user authentication layer of the system. The attackers were able to bypass multiple network, perimeter and application level security controls to gain access to the data. The incident prompted the resignation of Utah's CTO, a couple of months later.
It's too soon to say what kind of fallout this breach will have, especially considering the fact that the SSNs appear to have been stored in unencrypted fashion.
Security experts have long advocated the use of encryption to protect SSNs and other sensitive data and some states such as Massachusetts even mandate it. The fact that this basic precaution appears not to have been taken in this case could expose the state to potential lawsuits as well.
Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at @jaivijayan or subscribe to Jaikumar's RSS feed. His e-mail address is firstname.lastname@example.org.
Read more about data security in Computerworld's Data Security Topic Center.
Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.
Why change management doesn’t work
Larry Page wants to see your medical records
Dual-Persona Smartphones Not a BYOD Panacea
After two-year hiatus, EFF accepts bitcoin donations again
CIOs struggle to deliver timely mobile business apps: survey
Batten Down the Hatches! A Guide to Protecting Data in Motion
The risks facing high-speed data networks and unencrypted data while in motion are very real and on the rise. As information becomes one of the most valuable ‘off balance sheet’ assets, protection of that information and the investment in it is a paramount obligation of office-holders and management. Read now for a better understanding of the risks to data in motion.
Maximising productivity without sacrificing security
Advances in mobility and client computing technology combined with the ubiquity of the Internet and social media are creating a culture and desire for constant connectivity and anywhere access to information. As these trends extend from the home into the work place, IT managers should consider seriously the opportunities for increased productivity and communication with customers and constituents, as well as understand the increased security risks posed by online, anytime access to private networks and data. Read more.
Russian Underground 101
This research paper intends to provide a brief summary of the cybercriminal underground and shed light on the basic types of hacker activity in Russia. It discusses fundamental concepts that Russian hackers follow and the information they share with their peers. It also examines prices charged for various types of services, along with how prevalent the given services are in advertisements. The primary features of each type of activity and examples of associated service offerings are discussed as well. Read this paper.