Friday, November 30, 2012
South Carolina's governor faulted an outdated IRS standard as a contributing factor to a massive data breach that exposed Social Security numbers of 3.8 million taxpayers plus credit card and bank account data. Gov. Nikki Haley's remarks on Tuesday came after a report into the breach revealed that 74.7 GB was stolen from computers belonging to South Carolina's Department of Revenue after an employee fell victim to a phishing email. People who filed tax returns electronically from 1998 on were affected, although most of the data appears to be after 2002, Haley said during a news conference.
South Carolina is compliant with IRS rules, but the IRS does not require SSNs to be encrypted, she said. The state will now encrypt SSNs and is in the process of revamping its tax systems with stronger security controls. She said she has sent a letter to IRS to encourage the agency to update its standards to mandate encryption of SSNs.
The lack of encryption and strong user access controls plus dated 1970s-era equipment made DOR systems ripe for an attack, she said. ... The report, written by the security company Mandiant, found that an employee's computer became infected with malware after the user opened a phishing email. The hacker captured the person's username and password, which allowed access to the agency's Citrix remote access service. ...
The data included SSNs for 3.8 million tax filers and information on 1.9 million dependants, Haley said. Information belonging to 699,900 businesses was compromised, along with 3.3 million bank accounts and 5,000 credit card numbers, she said.
South Carolina has identified all of the victims, who will be notified by letter. The state is also working with Experian, which is monitoring credit information for victims.
As a result of the breach, DOR Director Jim Etter will resign effective Dec. 31. He will be replaced by Bill Blume, who is currently executive director of South Carolina's Public Employee Benefit Authority, Haley said.
The State: The Hacking of South Carolina:
A $25,000 dual password system likely would have prevented hackers from stealing state tax data belonging to 6.4 million consumers and businesses from the S.C. Department of Revenue, a special state Senate subcommittee investigating the data breach was told Wednesday.
“I almost fell out of my chair,” Sen. Kevin Bryant, R-Anderson, co-chairman of the cyber-security breach subcommittee, said after the hearing. “For $25,000, we wouldn’t be here.”
A computer security firm hired by the state told senators that hackers would have been thwarted by requiring Revenue Department employees to log-in twice – once with a password that changes every minute.
Dual passwords are required by the Internal Revenue Service for agencies, such as state tax departments, that access federal tax records remotely, but the S.C. Revenue Department did not install the system until after the breach. The password system is costing $25,000, agency director James Etter told senators.