South Carolina breach exposes 3.6M SSNs
Another 387,000 credit and debit cards also exposed in Department of Revenue intrusion, but most were encrypted
Computerworld - In the biggest data compromise of the year, Social Security Numbers (SSN) belonging to about 3.6 million residents in South Carolina have been exposed in an intrusion into a computer at the state's Department of Revenue.
Another 387,000 credit and debit card numbers were also exposed in the September attack, the state Department of Revenue said in a statement Friday. However, out of that number only about 16,000 of the credit and debit cards were unencrypted, the department added. The SSNs, meanwhile, do not appear to have been encrypted.
Anyone who has filed a South Carolina tax since 1998 has been impacted by the breach and will be offered one year of identity protection service from Experian. The service includes a $1 million identity theft insurance policy. (The state department has set up a Web page with contact information for people to call.)
"The number of records breached requires an unprecedented, large-scale response by the Department of Revenue, the State of South Carolina and all our citizens," South Carolina Governor Nikki Haley said in the statement. "We are taking immediate steps to protect the taxpayers of South Carolina, including providing one year of credit monitoring and identity protection to those affected."
The department said the data theft appears to have occurred sometime in mid-September. An ongoing investigation of the breach by security firm Mandiant shows that the perpetrators first made an attempt to break into the system and steal the data in August and twice again in mid-September. The hackers appear to have accessed the data during the mid-September intrusions, the department said in its statement.
The Department of Revenue first learned of the intrusion only on Oct. 10 after being notified about it by the S.C. Division of Information Technology. Federal and state law enforcement authorities were immediately informed about the breach and Mandiant was brought in the next day to begin remediating the situation. It is not immediately clear what systems were breached, or how.
Mandiant has closed the vulnerability that led to the intrusion and has finished installing surveillance and monitoring tools across the department, the statement added.
The breach is easily the biggest involving Social Security Numbers this year. The previous biggest loss of SSNs this year happened when hackers believed to be operating out of East Europe broke into a Medicaid server at the Utah Department of Health in March and accessed closed to 280,000 SSNs and close to 500,000 other records involving less sensitive personal data.
In that incident, hackers were able to gain access to the system by exploiting a default password on the user authentication layer of the system. The attackers were able to bypass multiple network, perimeter and application level security controls to gain access to the data. The incident prompted the resignation of Utah's CTO, a couple of months later.
It's too soon to say what kind of fallout this breach will have, especially considering the fact that the SSNs appear to have been stored in unencrypted fashion.
Security experts have long advocated the use of encryption to protect SSNs and other sensitive data and some states such as Massachusetts even mandate it. The fact that this basic precaution appears not to have been taken in this case could expose the state to potential lawsuits as well.
Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at @jaivijayan or subscribe to Jaikumar's RSS feed . His e-mail address is email@example.com.
- Goodwill Industries probes possible payment card breach
- Aloha point-of-sale terminal, sold on eBay, yields security surprises
- The biggest data breaches of 2014 (so far)
- Blue Shield discloses 18,000 doctors' Social Security numbers
- PF Chang's says breach was 'highly sophisticated criminal operation'
- Breaches exposed 1 in 7 US debit cards in 2013
- New malware program targets banking data
- How to protect yourself against privileged user abuse
- Montana data breach exposes 1.3 million personal records
- Hacker puts 'full redundancy' code-hosting firm out of business
Read more about Data Security in Computerworld's Data Security Topic Center.
- A More Predictable Way to Budget Software Costs Wavetronix enables creative collaboration while cost-effectively accessing all the latest tools with Adobe Creative Cloud for teams. For Wavetronix, collaboration was easy when...
- Adobe Creative Cloud for teams Security Overview This white paper describes the proactive approach and procedures implemented by Adobe to increase the security of your Creative Cloud experience and your...
- 3 Big Data Security Analytics Techniques You Can Apply Now to Catch Advanced Persistent Threats This technical white paper demonstrates how to use Big Data security analytics techniques to detect advanced persistent threat (APT) cyber attacks, and it...
- IT Security by the Numbers: Calculating the Total Cost of Protection Humorist Franklin P. Jones may have said it best: "When you get something for nothing, you just haven't been billed for it yet."...
- Live Webcast Security Vulnerabilities Associated With Having Local Administrator Privileges Viewfinity will demonstrate how removing admin rights and granularly managing privileges at the application level reduces the attack surface.
- Security Vulnerabilities Associated With Having Local Administrator Privileges Viewfinity will demonstrate how removing admin rights and granularly managing privileges at the application level reduces the attack surface.
- On-demand webinar - 7 Keys to Service Catalog Implementation Success Watch this webinar to learn 7 crucial keys to make your service catalog a success! All Data Security White Papers | Webcasts
Our new bimonthly Internet of Things newsletter helps you keep pace with the rapidly evolving technologies, trends and developments related to the IoT. Subscribe now and stay up to date!