South Carolina faults weak IRS standard in massive data breach

Gov. Nikki Haley has written to the IRS emphasizing the importance of encrypting Social Security numbers

South Carolina's governor faulted an outdated Internal Revenue Service standard as a contributing factor to a massive data breach that exposed Social Security numbers of 3.8 million taxpayers plus credit card and bank account data.

Gov. Nikki Haley's remarks on Tuesday came after a report into the breach revealed that 74.7 GB was stolen from computers belonging to South Carolina's Department of Revenue (DOR) after an employee fell victim to a phishing email.

People who filed tax returns electronically from 1998 on were affected, although most of the data appears to be after 2002, Haley said during a news conference.

South Carolina is compliant with IRS rules, but the IRS does not require SSNs to be encrypted, she said. The state will now encrypt SSNs and is in the process of revamping its tax systems with stronger security controls. She said she has sent a letter to IRS to encourage the agency to update its standards to mandate encryption of SSNs.

The lack of encryption and strong user access controls plus dated 1970s-era equipment made DOR systems ripe for an attack, she said.

"This is a new era in time where you can't work with 1970 equipment," Haley said. "You can't go with compliance standards of the federal government."

The report, written by the security company Mandiant, found that an employee's computer became infected with malware after the user opened a phishing email. The hacker captured the person's username and password, which allowed access to the agency's Citrix remote access service.

From there, the hacker installed various tools that captured user account passwords on six servers. The hacker eventually gained access to three dozen other systems. Mandiant wrote that the hacker used at least 33 unique utilities and malware, including password dumping tools, administrative utilities, batch scripts and generic database command utilities.

The hacker used a utility called 7-Zip to compress information, creating 15 encrypted archived files that, if uncompressed, contained 74.7 GB of data. The data was moved to another server within DOR before it was eventually moved to another system on the Internet, the report said.

The 23 stolen database files contained a mix of encrypted and unencrypted data, the report said. The hacker appears to have only obtained an encrypted key for the encrypted data, which could not be accessed. But there was plenty of other plain-text data.

The data included SSNs for 3.8 million tax filers and information on 1.9 million dependants, Haley said. Information belonging to 699,900 businesses was compromised, along with 3.3 million bank accounts and 5,000 credit card numbers, she said.

South Carolina has identified all of the victims, who will be notified by letter. The state is also working with Experian, which is monitoring credit information for victims.

As a result of the breach, DOR Director Jim Etter will resign effective Dec. 31. He will be replaced by Bill Blume, who is currently executive director of South Carolina's Public Employee Benefit Authority, Haley said.

Join the CSO newsletter!

Error: Please check your email address.

Tags South Carolina Department of Revenuesecuritydata breachencryptionExploits / vulnerabilitiesMandiantdata protectionmalware

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Jeremy Kirk

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts

Market Place