3.6 million Social Security numbers hacked in S.C.
Tax returns, personal data compromised in ‘massive’ breach

Friday, Oct. 26, 2012
MASSIVE BREACH


By NOELLE PHILLIPS - nophillips@thestate.com

The U.S. Secret Service detected a security breach at the S.C. Department of Revenue on Oct. 10, but it took state officials 10 days to close the attacker’s access and another six days to inform the public that 3.6 million Social Security numbers had been compromised.

The attack also exposed 387,000 credit and debit card numbers. The stolen data included other information people file with their tax returns such as names and addresses. Businesses’ taxpayer identification numbers also potentially have been comprised in the attack that is being described as one of the nation’s largest against a state agency.

The attack affects tax returns as far back as 1998, the Revenue Department said. But not all of the department’s data – so not every taxpayer – was affected, it said.

Mike Williams, the director of the Secret Service in South Carolina, joined SC Gov. Nikki Haley, along with SLED Chief Mark Keel and other officials to about the breech of the South Carolina Department of Revenue database by an international hacker. 3.6 million social security numbers may have been compromised. Williams said the breech is one of the largest the agency has seen but not the largest.

Most of the data had not been encrypted, meaning the hacker would not need a key to a secret code to read the stolen data.

Revenue director James Etter said none of the Social Security numbers were encrypted and about 16,000 credit card numbers were not encrypted.

“That was not part of the system at that point,” Etter said during Gov. Nikki Haley’s press conference Friday to announce the breach. “That’s something we’ll be looking into.”

Officials, including State Law Enforcement Division Chief Mark Keel, said the millions of affected S.C. taxpayers had not been notified sooner because agents needed to reach “certain benchmarks in their investigation.”

Keel said it took time to determine how much data had been compromised. And investigators needed time to gather evidence that could lead to prosecution.

It is not known how the security breach has affected taxpayers and whether or how the hacker might have used the data.

The Revenue Department established a toll-free phone line and a website for taxpayers who might be affected, but the system was overwhelmed Friday afternoon by the hundreds of thousands of people calling. The Revenue Department is increasing the number of receptionists at its call center, which will be open over the weekend, DOR spokeswoman Samantha Cheek said.

The security breach will be costly for the state, which hired a private cyber security firm to block the attack and to install new equipment and software at the Revenue Department. The state also promised to pay for one year of credit monitoring and identity theft protection for those affected.

The attack led Haley to pledge to beef up the state’s vulnerable information technology systems. She signed an executive order directing Cabinet agencies to cooperate with the state inspector general in an assessment of security. The order says that the state’s information technology security procedures have been “largely uncoordinated and outdated.”

It appears the hacker’s first attempt to probe the Revenue Department’s system came from a foreign Internet address on Aug. 27. Officials would not disclose where the attack originated.

The attack was discovered Oct. 10 by the U.S. Secret Service’s electronic crimes task force in South Carolina, Special Agent in Charge Michael Williams said.

His office notified SLED, and state agencies began scrambling to address the problem.

Upon the Secret Service’s recommendation, the state on Oct. 12 hired Mandiant, a private computer security firm based in Alexandria, Va. It was Mandiant’s experts who discovered that the hacker made two attempts to enter the system in early September and obtained data in mid-September. The company blocked the attacker’s access to the server Oct. 20.

The company also installed log-in monitoring and other tools to deter another attack, said Marshall Heilman, the company’s director of services.

Mandiant’s investigation into the attack is ongoing,

“We tend to measure investigations in weeks and months, not hours and days,” Heilman said during a Friday press conference. “We appreciate your patience.”

Officials declined to provide further details on the hacker or efforts to bring the person or persons to justice.

“My instructions to them were to slam him to the wall,” Haley said of her discussions with SLED’s Keel.

The attack was one of the largest the Secret Service has seen but not the biggest, Williams said.

The Privacy Rights Clearinghouse in San Diego, Calif., has compiled records of government security breaches since 2005. A State newspaper check of the clearinghouse’s database does not show any breaches of tax information that even approach the size of the attack against South Carolina.

The clearinghouse, a 20-year-old, nonprofit consumer and privacy advocacy organization, listed 11 other cases of tax records breaches by government agencies.

The group’s director, Beth Givens, described South Carolina’s example as a “massive breach.”

“This database should have been encrypted,” Givens said. “The fact that it wasn’t is a significant failing.” She also criticized the state’s delay in notifying taxpayers.

“I don’t give the tax agency high marks for the amount of time it has taken to notify these individuals.” She said a lot of damage could have occurred since the attackers first struck.

Haley vowed to better protect S.C. residents’ personal information in April after a state employee gained access to 228,000 Medicaid beneficiaries’ data. She put the word out that jobs were on the line if supervisors were not vigilant in protecting private information.

S.C. Inspector General Patrick Maley said nine agencies had been evaluated thus far, and some corrective action had been taken. There was no overarching security policy within state government, he said.

No one at the Revenue Department or within the state’s information technology division has been disciplined over the latest attack. Haley said the latest cyber attack is different from the one reported in April.

“That was an internal breach. This is totally different. This is unprecedented,” Haley said. “This is an international attack that did not come from the inside, that was creative in nature and reminds all of us that we’re in a different age and time where internally is not just where you have to look. We have to look externally.”

Reporter Clif LeBlanc contributed to this report.

WHO KNEW WHAT WHEN

State officials told the public of a taxpayer data breach 16 days after the attack was discovered.

Oct. 10: U.S. Secret Service learns of a breach involving South Carolina’s tax records and tells state officials. The S.C. Division of Information Technology notifies the Department of Revenue. DOR contacts the Governor’s Office, and SLED Chief Mark Keel briefs Gov. Nikki Haley.

Oct. 12: DOR signs a contract with Mandiant of Alexandria, Va., one of three private electronic security firms that law enforcement recommended the agency hire.

Oct. 16: Mandiant learns that an unknown hacker or hackers probed the system in early September and again in mid-September, when the hacker obtained data presumably for the first time. DOR contacts the Nelson Mullins law firm for help with breach management.

Oct. 20: The “hole” through which information was accessed is closed, and the system is believed secured.

Oct. 26: The public is informed in a 1:45 p.m. press conference. Officials say the attack might have begun Aug. 27. Several S.C. media outlets began reporting the news several hours earlier; one TV reporter said the station had been working on the story for two days.

SOURCE: Chronology information prior to Oct. 26 from the Governor’s Office

Read more here: http://www.thestate.com/2012/10/26/2496396/south-carolina-taxpayers-privacy.html#.UIwFqcXR7eU#storylink=cpy

http://www.thestate.com/2012/10/26/2496396/south-carolina-taxpayers-privacy.html#.UIwFqcXR7eU

Comments

Post a Comment

Popular posts from this blog

BMW traps alleged thief by remotely locking him in car

BMW traps alleged thief by remotely locking him in car Stealer's Wheel? Seattle police department quotes "Watchmen" movie in a recap of the recent arrest. Tech Culture by Gael Fashingbauer Cooper December 4, 2016 5:00 PM PST It's maybe the most satisfying arrest we can imagine. Seattle police caught an alleged car thief by enlisting the help of car maker BMW to both track and then remotely lock the luckless criminal in the very car he was trying to steal. Jonah Spangenthal-Lee, deputy director of communications for the Seattle Police Department, posted a witty summary of the event on the SPD's blog on Wednesday. Turns out if you're inside a stolen car, it's perhaps not the best time to take a nap. "A car thief awoke from a sound slumber Sunday morning (Nov. 27) to find he had been remotely locked inside a stolen BMW, just as Seattle police officers were bearing down on him," Spangenthal-Lee wrote. The suspect found a ke...
Read more

Report: World’s 1st remote brain surgery via 5G network performed in China

World’s 1st remote brain surgery via 5G network performed in China Published time: 17 Mar, 2019 13:12 ·           A Chinese surgeon has performed the world’s first remote brain surgery using 5G technology, with the patient 3,000km away from the operating doctor. Dr. Ling Zhipei remotely implanted a neurostimulator into his patient’s brain on Saturday, Chinese state-run media  reports . The surgeon manipulated the instruments in the Beijing-based PLAGH hospital from a clinic subsidiary on the southern Hainan island, located 3,000km away. The surgery is said to have lasted three hours and ended successfully. The patient, suffering from Parkinson’s disease, is said to be feeling well after the pioneering operation. The doctor used a computer connected to the next-generation 5G network developed by Chinese tech giant Huawei. The new device enabled a near real-time connection, according to Dr. Ling.  “You barely feel that th...
Read more

New ATM's: withdraw money with veins in your finger

New cash machines: withdraw money with veins in your finger Cash machine technology that reads the pattern of finger veins is already available in Japan and Poland   By Telegraph Reporters 6:59PM BST 15 May 2014 Cash machines could soon be installed with devices that identify customers by reading the veins in their fingers. The technology is already being rolled out in Poland, where 1,730 cash machines will this year be installed with readers, negating the need for a debit card and Pin. Developed by Hitachi, the Japanese electronics firm, the machines read the patterns of the veins just below the surface of the skin on your finger using infra-red sensors. The light is partially absorbed by haemoglobin in the veins to capture a unique finger vein pattern profile, which is matched to a profile. The technology is used by Japanese banks and also in Turkey, offering “groundbreaking levels of accuracy and speed of authentication”, Hitachi said, which in t...
Read more