South Carolina Department of Revenue Data Breach: What Went Wrong?
“Where do we go from here? We now have to go into cyber plan mode. This is a new era in time where you can’t work with 1970s equipment, you can’t go with compliance standards of the federal government, because both are outdated.”
– Nikki Haley, Governor of South Carolina
The South Carolina Department of Revenue recently suffered a major data breach, leading to 3.8 million tax payers and their 1.9 million dependents having their Social Security numbers exposed along with credit cards (5K) and bank account information (3.3 million accounts).The attacker gained access to 44 servers, installing 33 pieces of malicious software and utilities along the way, all undetected. The organization had no idea they were breached. It was not until law enforcement brought evidence to the department regarding three cases identify theft, that they were even aware something might be wrong.
According to the official incident report ( PDF) they are not sure how the hacker gained access, but believe it was via a phishing attack, where an employee opened an infected attachment and the attacker was able to get a username and password. The attacker was able to log into the network using valid credentials and once inside the network was able to access numerous servers, installing tools to help exploit systems along the way.
Since the attack South Carolina Governor, Nikki Haley said the State is implementing stronger security policies and tools including 24/7 monitoring. But, you have to wonder why there was no monitoring in the first place. The attacker was inside the network for months installing software, much of which was malicious, compressing and downloading database files, accessing log files and more. There were no warnings, or red flags alerting the network administrators that something was wrong. Incident detection and system state intelligence should be part of any information security strategy to help manage risk, which unfortunately South Carolina has had to learn the hard way.
Compliance Doesn’t Mean Security
During a press conference Governor Haley made an interesting point about compliance stating “the IRS which we were compliant with, does not believe you have to encrypt Social Security numbers.” This is a great example of how compliance is not the same as security, compliance may provide guidelines and a general framework, but just because you are in compliance, doesn’t mean you are secure.
The Governor mentions that she had asked her the Director of the Department of Revenue Jim Etter when appointed if they were secure and he said that they were in compliance. In the press conference the Governor also stated that she had accepted Jim Etter’s resignation after this breach. I think we see the lesson here.
I was really impressed with Governor Haley’s press conference regarding the breach. You can see that she spent a lot of time researching the issue and had some great advisors in the process. She may have been naive about security before this breach, but you can tell she isn’t taking any chances in the future, her eyes have been opened to the risks. When answering a question for reporters she stated:
“During this time cyber attacks are going to happen. No one will ever again be 100% safe, no matter how much we do, but what we can do is make sure we put so many layers in this process that it is awfully hard to get into. This is for the country to understand that every state needs to be looking at this.”
Spoken like a CISO. It is unfortunate that it takes a breach like this to raise awareness regarding information security risks in government, particularly senior leadership, but it will be interesting to see the steps the State takes moving forward. I am willing to bet that they will build a model that other states and even federal government should consider.
Here is the full press conference with Governor Haley, I highly recommend you watch: