S.C. governor's post-breach data encryption claims are off-base, analysts say
Gov. Haley calls encryption a cumbersome practice that's not followed even by many banks
Computerworld - Security analysts this week challenged South Carolina Governor Nikki Haley's defense of the state's information security practices in the wake of a data breach at the S.C. Department of Revenue that exposed the Social Security Numbers (SSNs) of 3.6 million people.
In a news conference Monday, Haley insisted that the state was following industry practices when it decided not to encrypt SSNs and other personal taxpayer information stored on state computers.
"The industry standard is that most SSNs are not encrypted," Haley said in response to a question from a reporter. "A lot of banks don't encrypt, a lot of those agencies that you think might encrypt Social Security Numbers actually don't, because it is very complicated. It is cumbersome and there's a lot of numbers involved with it."
Haley went on to add that the encryption issue affected not just the South Carolina Department of Revenue but other organizations across all industries.
The state followed the same security standards as other organizations and there's little it could have done to fend off the attack, she said. "If the CIA can be hacked, anybody can be hacked."
Haley's news conference, and one held earlier today, came after the state disclosed Friday that unknown hackers from overseas had broken into a Department of Revenue database and accessed SSNs and other personal data belonging to 3.6 million people.
Another 387,000 credit and debit card numbers belonging to taxpayers were also exposed in the September attack. According to state officials, the SSNs weren't encrypted, though all but 16,000 of the credit and debit cards that were compromised had been encrypted. State officials first discovered the breach on Oct. 10, but did not disclose it until Friday on the advice of state and federal investigators. Anyone who has filed a South Carolina tax return since 1998 has likely been affected.
The state has agreed to offer free credit monitoring services and up to $1 million in identity theft insurance coverage for victims of the breach. More than 287,000 people have already signed up for the service, Haley said.
Avivah Litan, an analyst with Gartner, called the governor's defense of the state's security practices shaky. "It's true that most banks don't encrypt customer data, largely because of performance hits and management overhead," Litan said.
"But most banks do a decent job of instituting strong protections around sensitive customer data at rest," she said, noting that encryption is only one method for protecting data. "There are many other methods that are viable and, when used together, offer more protection than just encryption alone.
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The 12 PCI DSS 3.0 requirements addressed by Peer 1 Hosting This handy quick reference outlines the 12 PCI DSS 3.0 requirements, who needs to be compliant and how Alert Logic solutions address the...
- Defense Throughout the Vulnerability Life Cycle This whitepaper provides insight into how to leverage threat and log management technologies to protect your IT assets throughout their vulnerability life cycle.
- Mobile Policy Checklist Here's what to consider when putting together a mobile policy designed to support a highly productive workforce.
- Securing BYOD Mobile computing is becoming so ubiquitous that people no longer bat an eye seeing someone working two devices simultaneously. Individuals and organizations are...
- Live Webcast On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy...
- Live Webcast Endpoint Backup & Restore: Protect Everyone, Everywhere Arek Sokol from the bleeding-edge IT team at Genentech/Roche explains how he leverages cross-platform enterprise endpoint backup in the public cloud as part...
- Streamline Software Asset Management, Compose a software Management Symphony Keeping track of your organization's software is easy with effective software management solutions from CDW. View the videos in our software solutions channel
- Druva inSync: Endpoint Data Protection & Governance CLICK HERE to watch this video about protecting corporate data on laptops and mobile devices, sponsored by Druva. All Security White Papers | Webcasts