More than 75% of South Carolina’s residents had their social security, credit card numbers and other personally identifiable information breached. News of the breach came in October, though it actually began in August. Who uncovered the breach? Usually it is the FBI, but this time it was the Secret Service that notified S.C. on October 10th.
How did the breach happen? Someone, as yet unknown, stole legitimate credentials from one of the 250 state employees with access to the South Carolina Department of Revenue (DOR) database.
Why was the attack so easy? Because (pulling our hair out here) the data was not encrypted. While this was horrific enough, the statements by S.C. governor Nikki Haley may have been more alarming. With 3.6 million of her citizens affected, Haley was in full defensive posture, saying that encryption was “complicated and cumbersome technology.”
This is a Governor in need of some education.
She also said “The industry standard is that most Social Security numbers are not encrypted. A lot of banks don’t encrypt. A lot of those (government) agencies you might think encrypt Social Security numbers actually don’t . . . It’s not just that this was a DOR situation, but an industry situation.”
Really - banks don't encrypt? I'd like her to name one.
Industry expert Adrian Lane, the CTO of Securosis has said, accurately: “In most cases, encryption or other forms of obfuscation (masking, tokenization) can be done transparently to business operations and at a reasonable cost. It need not be complicated – but you have to actually invest some time and money to get it done, and that’s how most states fail.”
The attackers have already used the data for identity theft and state sponsored attacks against manufacturers, the defense industry and other government agencies.
"From a state point of view, this is kind of the mother of all data breaches thus far,” said Larry Ponemon, chairman of The Ponemon Institute, which researches privacy and data protection.
In spite of her assertion that encryption is complicated and cumbersome, Haley says S.C. is now considering it. A bit late for South Carolina's citizens who have had their data compromised.
E-mail: firstname.lastname@example.org Phone: 703-359-0700