In a follow-up to the much-publicized security breach that exposed sensitive data on millions of South Carolina residents, the governor’s office has released the official report on the incident, as researched by security firm Mandiant. The origin of the attack was traced to an unnamed state employee clicking on a phising email, leading to the immediate compromising of that employee’s network credentials. From there, the hackers were able gain access to 44 different government systems and 74GB of uncompressed taxpayer data and encryption keys. More importantly, it was revealed that the millions of Social Security numbers stolen in this attack were being stored unencrypted, primarily because the current Internal Revenue Service standards do not require encryption of any kind.
What this means for you:
It’s a running joke that governments are typically way behind the times when it comes to operational efficiency, which was fine in the days of mimeographs, fax machines and microfiche, but it’s no longer a laughing matter in the age of the Internet. The fact that the IRS still isn’t requiring states to encrypt your critical data is an open invitation to cybercriminals everywhere, as well as every amateur hacker looking for a quick payday and street cred. On top of this, the fact that government agencies like South Carolina’s Revenue Department are relying on outdated and unsafe standards that even sophomore technology professionals would recognize as being insufficient is appalling and reprehensible, mea culpa notwithstanding.
Despite the egregious lack of security, the breach in question happened because an employee open the door. You may be well-informed and security conscious, but are your employees properly trained to spot and avoid phishing emails? Are they engaging in insecure behavior, either out of ignorance or willful disregard of company policy? If you handle sensitive personal information during the course of normal business, are they aware of the federal regulations regarding the handling and disposing of that information?
On Friday, the state of South Carolina announced that it had been the victim of a major security breach, and that as many as 3.6 million state residents (nearly 77% of the total state population) may have had their Social Security numbers and other personal identifying data stolen by person or persons unknown. As security firm Mandiant investigates the breach, they further revealed today that as many as 657,000 local businesses may have also be impacted by the data leak. The severity of the breach was exacerbated by the fact that the compromised data was actually being stored unencrypted on state-run servers, despite the fact it contained extremely sensitive tax information going back multiple years.
What this means for you:
Unless you are a resident of South Carolina or your business has filed taxes in that state, this particular event probably won’t impact you directly. However, it does serve to highlight that governments, like many businesses, fail to take security as seriously as they should, often under-spending on security or even ignoring potential threats. If you work with customer data that might be considered sensitive, are you doing enough to make sure that data is kept safe, not only from hackers, but from loss due to physical device theft, and damage from things like wildfires, floods, earthquakes or even a spilled cup of coffee? Most business won’t be able to prevent a determined hacker from penetrating their defenses, but they can make sure that sensitive data is stored properly (or not at all!) to minimize the collateral damage.