South Carolina points finger at lack of encryption


The full scope of the massive data breach of the South Carolina Department of Revenue is still making headlines.

The data included 3.8 million social security numbers and information on 1.9 million dependants. Information from 699,900 businesses was compromised, along with 3.3 million bank accounts and 5,000 credit card numbers.

The data was stolen by a pretty prosaic method. An employee opened an email sent by a phisher, which allowed the phisher to obtain a username and password to access the system via Citrix.

"From there, the hacker installed various tools that captured user account passwords on six servers. The hacker eventually gained access to three dozen other systems…The hacker used at least 33 unique utilities and malware, including password dumping tools, administrative utilities, batch scripts, and generic database command utilities. The hacker used a utility called 7-Zip to compress information, creating 15 encrypted archived files that, if uncompressed, contained 74.7GB of data. The data was moved to another server within DOR before it was eventually moved to another system on the Internet," according to a story in IDG.

Unfortunately, some of the most sensitive information, such as SSNs, was unencrypted. For this oversight, the state is pointing its finger at the IRS. The governor has written to the IRS asking that it require that all SSNs are encrypted. There is nothing preventing states from going above and beyond current requirements, and the state has plans to move to encryption all on its own.

This is a wake up call for other states. States near South Carolina were quick to point out that they already encrypt all data. Encryption as preventative measure is hard to argue against. Consider NASA, which is moving to implement full disk encryption on agency laptops after one containing unencrypted personal information on a 'large' number of people was recently stolen. The laptop was stolen from a locked car.

For more:
- here's an article from IDG

Related articles:
With focus on large banks, cyber criminals eye easier prey