South Carolina breach exposes 3.6M SSNs
Another 387,000 credit and debit cards also exposed in Department of Revenue intrusion, but most were encrypted
Computerworld - In the biggest data compromise of the year, Social Security Numbers (SSN) belonging to about 3.6 million residents in South Carolina have been exposed in an intrusion into a computer at the state's Department of Revenue.
Another 387,000 credit and debit card numbers were also exposed in the September attack, the state Department of Revenue said in a statement Friday. However, out of that number only about 16,000 of the credit and debit cards were unencrypted, the department added. The SSNs, meanwhile, do not appear to have been encrypted.
Anyone who has filed a South Carolina tax since 1998 has been impacted by the breach and will be offered one year of identity protection service from Experian. The service includes a $1 million identity theft insurance policy. (The state department has set up a Web page with contact information for people to call.)
"The number of records breached requires an unprecedented, large-scale response by the Department of Revenue, the State of South Carolina and all our citizens," South Carolina Governor Nikki Haley said in the statement. "We are taking immediate steps to protect the taxpayers of South Carolina, including providing one year of credit monitoring and identity protection to those affected."
The department said the data theft appears to have occurred sometime in mid-September. An ongoing investigation of the breach by security firm Mandiant shows that the perpetrators first made an attempt to break into the system and steal the data in August and twice again in mid-September. The hackers appear to have accessed the data during the mid-September intrusions, the department said in its statement.
The Department of Revenue first learned of the intrusion only on Oct. 10 after being notified about it by the S.C. Division of Information Technology. Federal and state law enforcement authorities were immediately informed about the breach and Mandiant was brought in the next day to begin remediating the situation. It is not immediately clear what systems were breached, or how.
Mandiant has closed the vulnerability that led to the intrusion and has finished installing surveillance and monitoring tools across the department, the statement added.
The breach is easily the biggest involving Social Security Numbers this year. The previous biggest loss of SSNs this year happened when hackers believed to be operating out of East Europe broke into a Medicaid server at the Utah Department of Health in March and accessed closed to 280,000 SSNs and close to 500,000 other records involving less sensitive personal data.
In that incident, hackers were able to gain access to the system by exploiting a default password on the user authentication layer of the system. The attackers were able to bypass multiple network, perimeter and application level security controls to gain access to the data. The incident prompted the resignation of Utah's CTO, a couple of months later.
It's too soon to say what kind of fallout this breach will have, especially considering the fact that the SSNs appear to have been stored in unencrypted fashion.
Security experts have long advocated the use of encryption to protect SSNs and other sensitive data and some states such as Massachusetts even mandate it. The fact that this basic precaution appears not to have been taken in this case could expose the state to potential lawsuits as well.
Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at @jaivijayan or subscribe to Jaikumar's RSS feed . His e-mail address is firstname.lastname@example.org.
- Michaels breach exposes nearly 3M payment cards
- Teen nabbed in Heartbleed attack against Canadian tax site
- Heartbleed bug can expose private server encryption keys
- FTC can sue companies hit with data breaches, court says
- 5-year-old hacks Xbox, now he's a Microsoft 'security researcher'
- State AGs probe Experian subsidiary's data breach
- NSA sniffing prompts Yahoo to encrypt traffic between its data centers
- Banks withdraw data breach claim against Target
- Bank abandons place in class-action suit against Target, Trustwave
- Banks' suit in Target breach a 'wake-up call' for companies hiring PCI auditors
Read more about Data Security in Computerworld's Data Security Topic Center.
- Path Selection Infographic Path Selection Infographic
- Hyperconvergence Infographic A wide range of observers agree that data centers are now entering an era of "hyperconvergence" that will raise network traffic levels faster...
- Preparing Your Infrastructure for the Hyperconvergence Era From cloud computing and virtualization to mobility and unified communications, an array of innovative technologies is transforming today's data centers.
- How WAN Optimization Helps Enterprises Reduce Costs If you wanted to break down innovation into a tidy equation, it might go something like this: Technology + Connectivity = Productivity. Productivity...
- Cloud Knowledge Vault Learn how your organization can benefit from the scalability, flexibility, and performance that the cloud offers through the short videos and other resources...
- LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users? All Cybercrime and Hacking White Papers | Webcasts