In a follow-up to the much-publicized security breach that exposed sensitive data on millions of South Carolina residents, the governor’s office has released the official report on the incident, as researched by security firm Mandiant. The origin of the attack was traced to an unnamed state employee clicking on a phising email, leading to the immediate compromising of that employee’s network credentials. From there, the hackers were able gain access to 44 different government systems and 74GB of uncompressed taxpayer data and encryption keys. More importantly, it was revealed that the millions of Social Security numbers stolen in this attack were being stored unencrypted, primarily because the current Internal Revenue Service standards do not require encryption of any kind.
What this means for you:
It’s a running joke that governments are typically way behind the times when it comes to operational efficiency, which was fine in the days of mimeographs, fax machines and microfiche, but it’s no longer a laughing matter in the age of the Internet. The fact that the IRS still isn’t requiring states to encrypt your critical data is an open invitation to cybercriminals everywhere, as well as every amateur hacker looking for a quick payday and street cred. On top of this, the fact that government agencies like South Carolina’s Revenue Department are relying on outdated and unsafe standards that even sophomore technology professionals would recognize as being insufficient is appalling and reprehensible, mea culpa notwithstanding.
Despite the egregious lack of security, the breach in question happened because an employee open the door. You may be well-informed and security conscious, but are your employees properly trained to spot and avoid phishing emails? Are they engaging in insecure behavior, either out of ignorance or willful disregard of company policy? If you handle sensitive personal information during the course of normal business, are they aware of the federal regulations regarding the handling and disposing of that information?