Home arrow Identity Theft arrow In The News arrow South Carolina Data Breach Reveals More Than One Error In State's Data Protection Efforts
User Login





Lost Password?
No account yet? Register
Guard My Credit Menu
Home
- - - THE ISSUES - - -
Videos
Fraud and Scams
Credit Issues
Identity Theft
Privacy Issues
Our Children
Politics & Politicians
- - ACTION CENTER - -
Guard My Credit Links
Helpful Pamphlets
- - - - - - - - - - - - - - -
About ACCESS
Contact Us
About Our Site
Join the Fight
ACCESS is a non-profit, tax exempt consumer advocacy group.

Donations are tax deductable.

Guard My Credit Hits
11412937 Visitors
South Carolina Data Breach Reveals More Than One Error In State's Data Protection Efforts PDF Print E-mail

October 31, 2012 - For years, ACCESS has been advising consumers, businesses and government agencies to adopt and stick to strict data protection protocols. And over the years, it continues to amaze us that government agencies have not complied even through some of the largest data breaches ever recorded have been as a result of lacking data security within government agencies. It turns out that South Carolina's recent breach appears to fall into this category. 

Image

It is bad enough that hackers gained access to the state's Department of Revenue computer system and were able to maintain access for roughly three months before anyone noticed. As it turns out, none of the data within their computer system appears to have been encrypted. This includes the Social Security Numbers of South Carolina taxpayers.

After the breach was announced, Governor Nicki Haley was forced to admit that SSN's are not typically encrypted on state agency computer systems. The reason given for this was that encryption is "cumbersome".  Of course, so is protecting your identity after it has been stolen. If you don't believe me, I'm fairly certain that there are 3.6 million residents of South Carolina who are ready to back me up on that statement.

But Haley was correct when she said, “The industry standard is that most Social Security numbers are not encrypted. A lot of banks don’t encrypt. A lot of those (government) agencies you might think encrypt Social Security numbers actually don’t. It’s not just that this was a DOR situation, but an industry situation.”

In this case however, it really isn't clear that anyone would have been protected with encryption. That's because the way that the hackers logged onto the state's computer system was with legitimate compute credentials that were apparently stolen from an employee at the Department of Revenue.

That little revelation brings up an entirely new set of questions. Private companies that have highly sensitive information stored on computers will frequently force their employees to change their passwords every few weeks. It is very apparent that the state didn't do that since the hackers were able to comb through taxpayer data over a period of months.

And since the hackers were logging on using a legitimate account, even if the data on the state's systems had been encrypted, it would have been decrypted for anyone viewing it once they were logged into the system.

This isn't just an issue for residents of South Carolina. It is an issue for the entire country. This breach is revealing some significant weaknesses in the ways that states store and access data on their citizens. Agencies at all levels of government would be wise to look closely at what is happening in South Carolina, compare their systems to those of SC, and make appropriate changes to protect their citizens. 

byJim Malmberg

Note: When posting a comment, please sign-in first if you want a response. If you are not registered, click here. Registration is easy and free.

Follow me on Twitter:

 

TwitterCounter for @jmalmberg

 

Follow ACCESS

Comments
Search
Allen Cummings  - South Carolina Data Breach Reveals More Than One E     |From:60.230.46.xxx |2012-11-01 05:22:59
As a system administrator, when I first heard this story my reaction was there must have been a serious breakdown in security procedures, Your post has confirmed my suspicions. in my opinion, this hacking was entirely preventable had proper computer security procedures been followed.

I have attached a link to an article I recently wrote about proper procedures for securing sensitive data on computer. This government department broke all the rules.

http://www.cyber-security-tips.com/2012/03/15-unsafe-security-practices-leading-to-data-breaches/
jmalmberg  - RE: South Carolina Data Breach Reveals More Than O     |2012-11-01 09:54:52
Allen,

I really wish that I could tell you that this was unusual but government agencies seem to be the worst at protecting the personal information of their citizens/constituents. And it isn't just because of incompetence either... although there is plenty of that. There is also a great deal of indifference. I am at a point that I honestly believe that the people running these agencies simply don't care what happens to the people they are supposed to work for.

I'll take a look at your article.

Regards,

Jim Malmberg
Only registered users can write comments!

3.25 Copyright (C) 2007 Alain Georgette / Copyright (C) 2006 Frantisek Hliva. All rights reserved."

 
Guard My Credit Polls
Poll #166 - Have you personnally been a victim of Identity Theft
 
#1 - Why did you visit our site today?
 
.•*´¯☼ ♥ ♥ Your Support of These Links Is GREATLY Appreciated ♥ ♥ ☼¯´*•.
Advertisement
 
Go to top of page
Home | Contact Us |About Us | Privacy Policy
eXTReMe Tracker
11/22/2024 05:02:13