Stolen Password Led to South Carolina Tax Breach

Timeline Shows When and How Hacker Entered State Tax System

By , November 20, 2012.
Stolen Password Led to South Carolina Tax Breach

A stolen state employee password allowed a hacker to breach the South Carolina tax system earlier this year, resulting in the exposure of records of more than 3.8 million individual and 700,000 business tax filers [see South Carolina Revenue Department Breached].

See Also: Financial Malware: Detection and Defense Strategies

Gov. Nikki Haley on Nov. 20 issued a report from the IT security firm Mandiant, which the state hired to investigate the breach, that says the hacker obtained the password when an employee of the Department of Revenue opened an e-mail containing malicious computer code on Aug. 13 [see complete timeline of the breach below].

"Could South Carolina have done a better job? Absolutely, or we would not be standing here," Haley said at a press conference.

The tax records exposed were those electronically filed since 2002, although some records as far back as 1998 were exposed. The hacker also pilfered 3.3 million unencrypted bank account numbers and 5,000 expired credit card numbers. In addition, the breach also exposed personally identifiable information of some 1.9 million dependents. The state will notify those whose data were breached by mail. The state is paying $12 million in identity protection services for taxpayers.

The report cited two basic security flaws: the failure of state workers to use multiple passwords to obtain sensitive data and the failure by the state to encrypt sensitive tax data. Haley blamed the breach on a combination of 1970s technology and the state's reliance on Internal Revenue Service guidance that she said does not require the encryption of Social Security numbers, creating what the governor dubbed a "cocktail of an attack."

Effectiveness of IRS Guidance Questioned

Haley sent a letter to IRS Acting Commissioner Steven Miller, calling on the federal service to require all states to have stronger security measures for handling tax information, particularly encryption of tax data that are stored or at rest. Citing IRS Publication 1075: Tax Information Security Guidelines for Federal, State and Local Agencies, Haley wrote that the guidance does not unequivocally require states to encrypt tax data. "What is even more troubling is that it appears that federal agencies, including the IRS, may also not be required to encrypt stored federal tax information," Haley said.

In response to an e-mail inquiry from Information Security Media Group, the IRS didn't explicitly explain its policies and processes regarding the encryption of taxpayer information. "We have many different systems with a variety of safeguards -- including encryption -- to protect taxpayer data," spokesperson Michelle Eldridge said. "The IRS has in a place a robust cybersecurity of technology, people and processes to monitor IRS systems and networks.

"We work closely with the states to ensure the protection of federal tax data. We have a long list of requirements for states to handle and protect federal tax information. Just as importantly, we expect the states to follow the standards of the National Institute of Standards and Technology."

The governor said the state would acquire new equipment and develop its own security standards.

"The one thing they've continued to tell me over and over is no one will ever again be 100 percent safe, no matter how much we do," Haley said. "But what we can do is put so many layers in this process that it is awfully hard to get into."

Changes to the tax system will be done with a new leader at the Department of Revenue. Haley announced the resignation of Jim Etter as director effective Dec. 31 to be replaced by Bill Blume, executive director of the South Carolina Public Employee Benefit Authority.

The Mandiant Report

And that process begins with the Mandiant report, which revealed the attacker compromised 44 systems, used 33 pieces of malicious software and utilities to perform the attack and data theft, remotely accessed Revenue Department servers using at least four IP addresses and employed at least four valid department user accounts during the attack.

Follow Eric Chabrow on Twitter: @GovInfoSecurity

  • Print
  • Tweet Like LinkedIn share
Get permission to license our content for reuse in a myriad of ways.
ARTICLE Serious 'GHOST' Flaw Puts Linux at Risk

US-CERT warns that all Linux distributions should be immediately updated to patch "GHOST," a...

Latest Tweets and Mentions

ARTICLE Serious 'GHOST' Flaw Puts Linux at Risk

US-CERT warns that all Linux distributions should be immediately updated to patch "GHOST," a...

The ISMG Network