27 September 2016
Business Intelligence: A Tech Revolution for the Evolution in Compliance

South Carolina admits security failings in massive data breach case

22 November 2012  |  4941 views  |  0 Security

An investigation into the data breach at South Carolina's department of revenue, which compromised 3.8 million social security numbers and 3.3 million bank accounts, has uncovered a series of security failings.

Earlier this month the department revealed that it suffered data breaches in August and September, exposing all people and businesses to have filed South Carolina tax returns since 1998.

A report from IT security firm Mandiant, commissioned by the State, says that the department's systems were compromised when an employee clicked a link in a phishing e-mail in mid-August.

From this, the hackers were able to obtain passwords and compromise 44 systems, using at least 33 pieces of malicious software to steal the social security numbers, as well as 3.3 million unencrypted bank account numbers and 5000 expired credit card numbers, Governor Nikki Haley told a press conference.

"Could South Carolina have done a better job? Absolutely, or we would not be standing here," Haley told reporters.

Mandiant's investigation has identified two major security failings at the department: that employees did not need dual verification to get into systems and that social security data was not encrypted.

The Internal Revenue Service does not require social security data to be encrypted, something Haley says should change and she has written to the agency about.

"That we had 1970 equipment, combined with the fact that we were IRS compliant, was a cocktail for an attack," the Governor says.

Department of revenue director Jim Etter has quit, the State has promised to beef up its systems and committed up to $12 million to provide a free year of credit monitoring and identity theft prevention to anyone affected.

Some people have already seen their data used by crooks though, with one victim, Tina Mather, telling the New York Times that $4000 was stolen from her bank account.

KeywordsLEGAL

Comments: (0)

Comment on this story (membership required)

Finextra news in your inbox

For Finextra's free daily newsletter, breaking news flashes and weekly jobs board: sign up now

Related stories

South Carolina hack expose 387,000 card numbers

South Carolina hack expose 387,000 card numbers

08 November 2012  |  5547 views  |  0 comments | 8 tweets | 2 linkedin

Related blogs

Create a blog about this story (membership required)
Visit www.smartstream-stp.comVisit www.abe-eba.euFind out more

Who is commenting?

A Finextra member Finextra Member Commented on: PSD2 - opportunities,...
A Finextra member Finextra Member Commented on: R3 banks use Intel dis...

Top topics

Most viewed Most shared
RBS tests demonstrate ability of Ethereum to support a national domestic payments systemRBS tests demonstrate ability of Ethereum...
13498 views comments | 52 tweets | 47 linkedin
Banks test blockchain for reference data managementBanks test blockchain for reference data m...
8623 views comments | 16 tweets | 27 linkedin
Swift beware: Ripple signs banks to global payments steering groupSwift beware: Ripple signs banks to global...
8413 views comments | 32 tweets | 17 linkedin
FCA to kickstart sandbox with 24 applicantsFCA to kickstart sandbox with 24 applicant...
7011 views comments | 33 tweets | 15 linkedin
Time has come to extract value from blockchain investment – new Finextra paperTime has come to extract value from blockc...
6913 views comments | 22 tweets | 16 linkedin

Featured job

Find your next job