The hacking of the Department of Revenue’s computer system and the state’s response are evolving stories, Gov. Nikki Haley and other state officials have offered updates with new details every day since the security breach was announced Friday.
Not every detail has been crystal clear, and some revelations announced seem to contradict others. The Post and Courier has been trying to keep track, checking the updates against each other and providing context.
What’s actually been stolen?
State officials have said repeatedly that they don’t know yet exactly whose or what information has been stolen. They just know that 3.6 million taxpayers’ Social Security numbers and 387,000 credit and debit card numbers have been exposed.
On Tuesday Haley revealed more about what was actually taken. She said the only credit card numbers stolen for sure were 5,000 of the 16,000 unencrypted numbers on the server. “Of all 5,000 that were taken, they were expired,” she said. “So not one single active credit card was taken.”
(Several people have noted that if a credit card expires, the 16-digit number is just assigned a new expiration date and security code on the back of the card.) There was no update on whether any of the millions of Social Security numbers or the rest of the newer, active credit card numbers were actually taken.
Meanwhile, taxpayers have called The Post and Courier to report fraudulent activity on their accounts since Friday’s announcement.
Matter of months?
Haley said hacking experts told her that thieves usually wait six to eight months after an attack to put the stolen information to use. “So that is the time frame we are going to be focused on,” she said. “Usually after a year, they don’t see anything.”
Some security experts, however, said the threat can extend well beyond a year’s time, particularly when Social Security numbers are involved.
Thieves generally try to use stolen credit card numbers quickly before the owners discover the theft and cancel the cards. But Social Security numbers are very difficult to change. And they can become more valuable over time if thieves unearth more information about the people involved to sell to folks looking to steal an identity, said Larry Ponemon, chairman and founder of the Ponemon Institute, a Michigan-based think tank dedicated to privacy and data-protection practices.
“It’s pretty sophisticated stuff, and a lot of it won’t lead to an attack in a matter of months,” he said. “It will be used years later.”
Frank Abagnale, an infamous con man turned security expert and FBI consultant, agreed, saying thieves often warehouse stolen personal information and use it two or three years later, when they are less likely to be caught.
Media to blame?
During Monday’s press conference, Haley blamed the media for causing “somewhat of a panic” among taxpayers that led to a flood of callers overwhelming a call center set up to help people get credit monitoring. On Tuesday, the governor went further, blaming reporters themselves for tying up the phone lines and clogging the system so others couldn’t get through.
Bill Rogers, executive director of the South Carolina Press Association, said he found Haley’s statement hard to believe. The state has 16 daily newspapers, and most had no more than a few reporters working on the hacking story.
Post and Courier reporters called the hot line only after fielding dozens of calls from frustrated taxpayers who couldn’t get through.
“That is an ingenious way to blame the media,” Rogers said. “I can’t imagine there are enough reporters in South Carolina to clog that line.”
The governor also didn’t mention that most of these reporters are also state taxpayers and, therefore, fellow victims of the security breach whom she had urged to register for monitoring.
Lifetime fraud protection?
The governor noted for the first time Tuesday that, in addition to a year of credit-monitoring and $1 million of insurance, the state-sponsored Experian service includes “lifetime” fraud resolution. “If anything happens, they are going to do fraud resolution for life,” she said. “So they will go back and hand-hold you ... make sure that you’re fully taken care of. ... So that is something you’ll always have.”
Her spokesman, Rob Godfrey, explained that means if you, your bank or Experian discovers that you have been defrauded at any point after you signed up for ProtectMyID, Experian will help you remedy the situation, including by calling banks and getting in touch with their fellow credit-rating agencies.
Common or not?
Haley said the attack was indicative of “the world we live in today,” and that the lack of much national media interest into the episode shows how commonplace such attacks have become. At the same time, she called the attack “absolutely bizarre” and not something that happens every day. Which is it?
Ponemon, the cyber-security expert, said South Carolina’s breach “is a big one,” but such attacks do occur on a fairly regular basis, hitting everything from large corporations to universities and small businesses. Cyber-thieves often target public and governmental institutions because they hold a variety of valuable data and their security is usually not as good or comprehensive as it is in the commercial sector, particularly in regard to financial institutions, he said.
“I know South Carolina has reason to worry here, but I don’t think you can pick on the state for something that has become a common malady and affects a lot of state departments,” he said.
Haley said this week that encryption of Social Security numbers, like the millions compromised in the Revenue Department breach, is not “industry standard.”
“A lot of banks don’t encrypt,” she said.
On Tuesday, two banking industry representatives said encryption of Social Security numbers — and plenty of other sensitive numbers and information besides — is industry standard when it comes to transmitting them over the Internet. (How the hack was perpetrated hasn’t been fully explained, but officials have said it came from a foreign IP address.)
Fred Green, president and CEO of the South Carolina Banking Association, said “the distribution or transportation of data between one location and another, all of that is encrypted, not just Social Security numbers but everything.”
“So if anybody got in the middle, they wouldn’t know what they’re looking at,” he said.
Jeff Sigmund, a spokesman for the American Banking Association, added this in an email Tuesday, “Social Security numbers are generally protected by a number of security measures while on bank systems, including firewalls, access controls and encryption.”