Silver Lining in South Carolina Tax HackBuilding Citizen Awareness for the Need for Stronger Infosec
Political leaders don't spend much face time with the public on cybersecurity; there just aren't any votes in it. That, in part, explains why President Obama and Mitt Romney hardly mentioned IT security during the presidential campaign [see Cybersecurity: Obama vs. Romney].
See Also: Stopping BEC and EAC
But that mindset might be changing. Take a look at what's happening in South Carolina. A breach of the state's tax IT system in mid-September exposed the Social Security numbers of 3.6 million taxpayers [see South Carolina Revenue Department Breached]. That's a lot of people in a state with a population of 4.7 million. [The 3.6 million figure represents those filing taxes since 1998. Still, that's a large portion of South Carolinians who had their privacy compromised.]
I can't believe we live in a world when this criminal would go to these lengths to get all this information.
The breach also exposed 387,000 credit and debit card numbers, as well as the federal tax identification numbers of some 657,000 businesses in the state.
Gov. Nikki Haley realizes the potential damaging political consequences of the breach, which explains why she held three press conferences on three consecutive days late last month to address her administration's response to the incident.
Those three briefings focused on how affected taxpayers could apply for a year's worth of free credit monitoring and identity theft prevention services offered taxpayers through the credit-monitoring company Experian, which says it would cap its charges to the state at $12 million. Dun & Bradstreet Credibility Corp. will give affected businesses a similar fraud monitoring deal, but will not charge the state for its services.
Good, But Not Perfect
Haley contends South Carolina has state-of-the-art IT security systems, but a hacker, believed to be from Eastern Europe, first broke into the system this past summer, and began pilfering information in mid-September.
The governor echoed the belief of many IT security experts that clever hackers can break into some of the most secure information systems.
"If somebody wants to make something happen, they are going to make it happen. so we just have to be so cautious, and be in front of it," Haley said. "And, in some cases, we have to realize that bad people do bad things.
"But we also have to realize that with people like Dun & Bradstreet (Credibility Corp.), they're doing this for free; good people do good things. So, there has been good and bad through this whole crisis, and it has been people stepping up when they didn't have to, and it's been stepping back and saying, 'I can't believe we live in a world when this criminal would go to these lengths to get all this information.'"
But criminal do go to those lengths; it's become very commonplace.
And recognizing that even the best systems can be breached isn't a defense. Information that should have been encrypted, such as the Social Security numbers, weren't, although the state says it's now in the process of doing so - a task that should be completed by early next year.
It's easy to criticize those in charge when a significant breach occurs. But let's give Haley credit. She spent more than an hour of her time in the media briefings, taking questions on the breach. Sure, it could prove to be good politics, but Haley is doing something that many elected officials fail to do: Be transparent.
Haley's effort at transparency is raising citizen awareness of the consequences of inadequate IT security, and this could prove to be a silver lining in what otherwise is a dark situation. With millions of South Carolinians potentially victimized, this breach is believed to be the largest exposure of personally identifiable information of a government tax system. Yet, through Haley's efforts, perhaps a new army of advocates is being built that could be deployed to support tougher IT security standards and more funds to shore up critical cyberdefenses.