Lax Security Blamed for Payment Breach

S.C. Inspector General Issues Report in Response to Sept. Hack
Lax Security Blamed for Payment Breach

A breach of South Carolina's tax system not only exposed Social Security numbers of some 3.6 million taxpayers, but an estimated 387,000 credit and debit card numbers, as well. Federal tax identification numbers of some 657,000 businesses in the state also have been linked to the breach.

See Also: How to Get Started with the NIST Cybersecurity Framework (CSF)

The state Office of Inspector General says South Carolina's absence of a statewide information security program is to blame, and the reason the state's digital assets are at risk.

"It's clear we need some statewide mechanism in order to coordinate and address these issues," Inspector General Patrick Maley tells "Somebody has to be in charge."

The breach, which occurred in mid-September, is believed to have originated in Eastern Europe (see Silver Lining in South Carolina Tax Hack).

In the inspector general's report posted on the website of the Easley, S.C., Patch, Maley says there are no mandatory state policies, standards, monitoring or enforcement for information security in agencies of state government.

"The state provides a general information security policy model, but the state only suggests each agency tailor it to their environment," he says. "This information security policy approach coupled with the state's decentralized IT environment, creates unique challenges in understanding, controlling and mitigating the statewide information security risk in the over 100 entities in the executive branch, as well as the other branches of government."

Since the breach was unveiled last month, informal and formal meetings have been held among the inspector general office, Division of State Information Technology, private-sector experts and individual agency chief information officers to begin steps to develop plans to better protect state and agencies' information systems and data.

The IG and IT division are asking state agencies to:

  • Conduct short term remediation steps: Each agency will double check specific information security procedures having the highest impact on lowering information security risk. Emphasis will be on reviewing these fundamentals in each agency through the new optic of the post-Department of Revenue breach world in which the state operates.
  • Agency self-assessment: Each CIO will complete an electronic information security self-assessment survey for their agency, as will each agency head from their perspective. Then, the agency head and CIO will meet to discuss results to ensure agency heads are fully engaged in this statewide issue.
  • Data classification: Locate all high risk data, primarily personal identifying information and protected health information. Additionally, request help on any personal identifying information or protected health information not sufficiently secured.

Maley says South Carolina government has established a full-time task force to address statewide information security that will focus on describing current conditions of information security statewide, collecting data to be used develop options and recommendations on information security risk governance models. "A governance model is the first step to provide a sustainable statewide information security platform for leadership, structure/processes and assurance that information security risk, policy and resource needs are coordinated and addressed at the state level," Maley says.

The inspector general says his office plans to provide actionable items in the area of governance models.

A second milestone of the task force will be to develop options on strategy and implementation plans, which Maley says will likely require South Carolina to hire outside experts, as has been done in other states. "The implementation options will likely be a function of time and cost," he says. "Resources will be required to build the governance model selected and mitigate information security risks identified as agencies systematically conduct risk assessments."

About the Author

Eric Chabrow

Eric Chabrow

Retired Executive Editor, GovInfoSecurity

Chabrow, who retired at the end of 2017, hosted and produced the semi-weekly podcast ISMG Security Report and oversaw ISMG's GovInfoSecurity and InfoRiskToday. He's a veteran multimedia journalist who has covered information technology, government and business.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.