With focus on large banks, cyber criminals eye easier prey


The hacker attacks against big banks generated lots of headlines and focused the financial services industry--and lots of outsiders--on the threat of even more insidious attacks. Some felt the massive denial-of-service attack was a mere near-political ruse to deflect attention from a scheme to steal money somehow.

As it turns out, a far more serious attack, one that appears unrelated to the bank attack, indeed took place: Hackers from abroad infiltrated the South Carolina Department of Revenue, compromising the agency's database to steal 3.6 million Social Security numbers and nearly 400,000 credit card numbers. 

Other data of a PII nature was also stolen, including individual tax returns. The breach began in late August and was not detected by state government officials until October 10. The public was notified of their PII losses on October 26.

This no doubt ranks as one of the most serious crimes again a state government, one that obviously took the state by complete surprise. As of right now, it's unclear exactly how the criminals accessed the data based. The early word is that they somehow used state-approved credentials. What's unclear is how they obtained the credentials.

They could have stolen them, or they could have had an insider accomplice. About 250 Revenue Department employees have credentials to access taxpayer records apparently. There are lots of issues that remain. The extent to which encryption was used or not needs to be definitively addressed. So does the issue of the contractor who scanned the system for vulnerabilities in September and October and found nothing.

Some have suggested that a tech czar be appointed to take this bull by the horns, as the costs of this are already starting to mount. The state has agreed to pay Experian up to $12 million for credit monitoring for victims. The state has also been forced to hire a new contractor to secure its systems and a lawyer to advise it on liability matters.

What needs to happen now is a complete transparent bow-by-blow account of exactly how this has happened. Law enforcement officials need to be involved. Other municipal and state agencies need to view this for what it is: A very stark reminder of just how vulnerable they are. Officials might think they have done enough to secure their data. They most certainly have not. -Jim