Brutalized! South Carolina breach exposes data security woes at State level

Brutalize? Yes, that’s what the Governor of South Carolina wants to do to the person who breached security at the South Carolina Department of Revenue (SCDOR) and exposed Social Security Numbers and other information pertaining to 3.6 million people, as well as 387,000 credit and debit card records. Speaking to the press on Friday, Gov. Nikki Haley said: “I want this person slammed against the wall…I want this man brutalized.”

Deloitte NASCIO 2012 reportWe will get back to Gov. Haley’s statement in a moment, but if we expand our perspective on this incident, which has been reported in detail in Computerworld and WBTV, we can see that the scale of the breach has focused renewed attention on cybersecurity at the state level. The picture that is emerging is not pretty.

The people in charge of protecting the data about us that states process and store are known as the state CISOs, as in state Chief Information Security Officers. These folks were polled recently on the topic of cybersecurity. When asked if they receive appropriate executive commitment and adequate funding for cybersecurity, the number who said they did was a dismal 14%. Even if you discount that number slightly on the grounds that anyone in charge of anything usually feels they have not been provided with adequate funding, the number is still shockingly low. Yet it is consistent with the response to a separate question: 86% of state CISOs identified “lack of sufficient funding” as the key barrier to addressing cybersecurity.

Let me put it another way, with another statistic that I found staggering: half of all state CISOs have a team of five cybersecurity professionals, or less. While you ponder how small that number is, let me give a shout out to the source of these numbers, the National Association of State Chief Information Officers (NASCIO) and the firm of Deloitte, who worked together to create a report titled: “State governments at risk: A call for collaboration and compliance.” The report is also known as the 2012 Deloitte-NASCIO Cybersecurity Study and is freely available as a PDF download.

I think anyone familiar with information security staffing in the private sector would agree that half a dozen people managing the security of millions of sensitive records across an entire state is shockingly low. Sure, they’re probably not the only people working on securing that data–one would hope that each state agency has devoted some of its human resources to that end–but just think about the data that every state stores: valuable and potentially sensitive data on its residents (name, address, date of birth, Social Security Number, driver’s license number, photo, height, eye color, property owned, income earned, and taxes paid).

Cover image from 2010 Deloitte-NASCIO report

Not reassuring: The cover image from the 2010 version of the Deloitte-NASCIO report: State Governments at Risk: A Call to Secure Citizen Data and Inspire Public Trust

Even the least populous states, Wyoming and Vermont, have more that 500,000 residents each. Try mentally comparing states to hypothetical companies whose business involves processing massive amounts of very personal data on at least half a million customers, but probably closer to 6 million, which is the average state population. It is hard to imagine any company like that having less than 6 cybersecurity professionals working on protecting such data. Furthermore, another 38% of state CISOs only have between 6 and 15 people. Deloitte makes the point that something closer to 100 would be typical for a company in the financial services sector. Perhaps the big story here is that more state breaches have not yet happened.

If you find all this rather worrying and would like to know more, I heartily commend the Deloitte-NASCIO study, which is biennial, meaning there are some interesting insights available by comparing 2012 and 2010 findings. Sadly. one comparative stat is that the 2010 Deloitte-NASCIO Cybersecurity Study reported that 88% of State CISOs consider lack of sufficient funding to be the greatest barrier to information security, compared to 86% in 2012, which is an improvement, but not much, given the two years that have elapsed.

Getting back to South Carolina, Gov. Haley, has revealed that she knows where the attack came from, but she has not yet shared that with her constituents. However, she possibly revealed the attacker’s gender when she said: “I want that man just brutalized.” I don’t knowing if brutalizing is legal in South Carolina, but I do know that the impact of this breach on the state budget is likely to be brutal. Multiply Larry Ponemon’s carefully calculated cost of $200 per record breached by 3.6 million and you get a price tag of $720,000,000. To put that in perspective, it is way more than the General Fund appropriation for South Carolina’s colleges and universities (which was $568,870,814 for fiscal year FY 2010-2011).

While SCDOR is saying that much of the leaked information was encrypted, that does not necessarily exempt the agency from notification or remediation costs. The stolen data affects people who are no longer South Carolina residents but filed taxes there between 1998 and now. That means other states’ notification laws may apply. While encryption may slow down the process by which records can be converted into cash through identity theft and fraudulent accounts, the extent to which that is true in practice will depend on the strength of the encryption.

Interestingly, this breach of records from a state tax department comes less than ten weeks before the beginning of the new federal tax year, January 1, 2013. That’s when Americans can begin filing their 2012 income tax returns. some of those returns will claim a refund of excess income taxes paid during the year. Fraudulent electronic claims for refunds, created using stolen Social Security Numbers, were recently flagged as a huge problem for the Internal Revenue Service (IRS).

Criminals can easily make fake versions of the income tax withholding form known as W-2 , showing that the employer withheld more tax than was owed. Employers often don’t inform the IRS of taxes withheld until several months into the New Year. Amazingly, the IRS does not verify the W-2s sent with the income tax return until after the refund is issued. Even crazier is the fact that the IRS will, upon request, issue refunds in the form of a credit to an untraceable debit card (one of those you can buy at Walmart, the kind that doesn’t have your name on it). This is a recipe for rip-off and the U.S. Treasury is currently losing billions of dollars a year to such scams, coincidentally the type of scam for which the data stolen in South Carolina is ideally suited.

Author Stephen Cobb, ESET

  • SDR

    Great observations including shedding light on the governments financial priorities and accountability.  It's astounding how the State CISO's are simply overwhelmed. At least one lesson to be learned is to ENCRYPT all sensitive data!  The IRS W-2 refund issue highlights the need for looking at the "life-cycle" of the payment/refund processes.

  • Stephen Cobb

    Does the south carolina data breach affect you?

    Here's what the South Carolina Department of Revenue says on the SCDOR website:

    Anyone who has filed a South Carolina tax return since 1998 is urged to take the following steps:

    Step 1. Call 1-866-578-5422 where you will enroll in a consumer protection service. The hours of operation are Monday – Friday 9:00 AM – 9:00 PM Eastern, Saturday and Sunday 11:00 AM – 8:00 PM Eastern.

    Step 2. Then you will determine if you wish to have an online or US Mail alert mechanism.

    Step 3. Next visit  For the US Mail service, you will receive notifications via the US mail. 

    Experian’s ProtectMyID™ Alert is designed to detect, protect and resolve potential identity theft, and includes daily monitoring of all three credit bureaus. The alerts and daily monitoring services are provided for one year, and consumers will continue to have access to fraud resolution agents and services beyond the first year. For complete information read the October 26, 2012 Press Release.

Follow us

Copyright © 2017 ESET, All Rights Reserved.