Security company Mandiant was hired in mid-October to investigate the incident, and they found that it actually started with a phishing email way back in August. A user clicked on a link that had been embedded within the email, and their credentials were stolen. Then almost two months went by, during which time the attackers had collected passwords to all Windows user accounts and gaining access to six servers.
Mandiant explains that on October 19th the state was able to remove the attacker’s access, but at that point 44 systems had already been compromised, and as much as 74 GB of data had been taken. The files that had been taken were a mix of encrypted and unencrypted data.
The DOR not having Social Security numbers encrypted was well within IRS compliance standards according to Nikki Haley, South Carolina’s governor – “The IRS, which we were compliant with, does not believe that you have to encrypt Social Security numbers. Should we have done more? Yes, we should have done above and beyond what we did.” Encryption within the DOR is in the works, and Haley has contacted the IRS to suggest they reevaluate the protocol to perhaps raise the standard in the wake of this event.
Encryption is important, but so too is the need for education. The attackers were able to successfully get credentials from a phishing email. Training staff to better define and react to these sorts of threats can really help reduce the chances of a breach. Also, regular risk assessments can help pinpoint weak areas to give staff effective and successful training. As is reasonably being stated and restated, people are the weakest link in the security of an organization. It’s critical to keep staff informed and sure of their processes.
Another missing security measure was two-factor authentication to access sensitive tax data. Two-factor authentication for VPN (Virtual Private Network) or remote access is required by PCI DSS, the industry standard for protecting credit cardholder data.
Currently the state of South Carolina is paying for a year of credit monitoring for its residents, as well as insurance that should help absorb costs related to the breach. As it stands, over 800,000 people have called looking for this protection already. The DOR director Jim Etter has resigned, and with the new director comes a new look at the security policies currently in place, explains Haley. “We need a new set of eyes who will look at data in terms of security and get aggressive in terms of our tax policy.”
Take a look at our Security Toolkit to learn more about the different types of security, and what can be done to keep your data secure.