No organization is safe from the prying of hackers and malware, as cyber thieves turn their attention to both businesses and government agencies. Many municipalities are slowly starting to learn of the risks they face, but it seems that the South Carolina state government is picking up this lesson the hard way.
In a series of five online break-ins of the website for the state’s Department of Revenue in August and September, hackers got away with the personal information of millions of South Carolina residents. Among the unencrypted information taken by the cyber thieves were 387,000 credit and debit numbers and the Social Security number of at least 3.6 million South Carolina residents, one of the largest data breaches to occur in the United States.
What went wrong?
Not only was the department a victim of a network breach, but it exhibited lax layered security practices, making it easier for hackers to steal sensitive data about the state’s residents.
Of the 387,000 debit and credit card numbers stolen, about 16,000 of them were unencrypted. James Etter, the director of the state’s Department of Revenue, told The Post and Courier that South Carolina had been encrypting payment card information since 2003, and so the numbers that were unencrypted are likely expired by now. However, that information could still be used to access bank accounts and other sensitive financial information, especially if the card number is still in use but with a new expiration date.
However, all of the Social Security numbers were unencrypted, meaning that information was readily available to the cyber thieves. Etter told the news source that encrypting SSNs is not commonplace, but it is simple to do so. In this instance, South Carolina perhaps was just not following the most stringent cybersecurity measures.
South Carolina’s Revenue Department is far from the only government agency to have its substandard security exposed by hackers. According to The Privacy Rights Clearinghouse, more than 600 data breaches involving about 141 million records have occurred among public agencies in the U.S. since 2005. In addition, USA Today reported that so far this year, 9.8 million records have been stolen as a result of 76 data breaches of government agencies.
How is the state addressing the matter?
South Carolina Governor Nikki Haley has pledged a massive audit into the state’s computing system, with The Greenville News reporting that he said “South Carolina has come under attack but South Carolina is going to fight back in every way possible to make sure every taxpayer is taken care of.”
However, residents are already fuming over how state officials have been handling the breach. For example, while the state had contracted with an outside firm to offer free identity theft protection, the company has been bombarded with calls from irate residents and have not yet been able to handle everyone’s request, The Post and Courier reported.
In addition, The Greenville reported that some South Carolinians have expressed concerns over a perceived haphazard response to the incident. Once the U.S. Secret Service first notified the state about the breach, both governments had to fully investigate the incident before notifying residents. As a result, official notice was not given until Friday afternoon. Some residents are upset about this move, saying they were not given enough time to sufficiently react and rectify their losses.
What should South Carolina has done to better protect the data? Should the state have sent notifications more quickly, even if they did not know all of the details about the theft? Leave your comments below to let us know what you think about this news!