South Carolina: 'The mother of all data breaches'
In a nation where hackers steal personal data from computer systems on a near-daily basis, the cyberattack on the South Carolina Department of Revenue stands out as the largest breach against a state tax agency in the nation.
ENROLL IN FREE CREDIT MONITORING AND IDENTITY PROTECTION: The state is paying for taxpayers to receive identity-protection services from Experian for one year. South Carolinians can enroll either online or by phone. To register by phone, call 1-866-578-5422. The hotline is open from 11 a.m. to 8 p.m. on weekends and 9 a.m. to 9 p.m. on weekdays. To register online, go to protectmyid.com/scdor and use the code “SCDOR123.” At some point, that generic code may not work, and residents will have to call the hotline number.
PLACE A FRAUD ALERT or SECURITY FREEZE ON your credit RECORDS: Residents can request “fraud alerts” to let potential creditors know they may be a victim of identity theft or request a “security freeze” to restrict potential creditors' access to your credit records. To place a fraud alert, call Equifax at 1-800-685-1111, Experian at 1-888-397-3742 or TransUnion at 1-800-680-7289. To place a security freeze, you must contact each agency individually. Under South Carolina law, the consumer reporting agencies cannot charge consumers fees for placing, temporarily lifting or removing a security freeze.
REGULARLY CHECK YOUR CREDIT REPORT: Get free credit reports from the three largest credit-rating organizations by going to annualcreditreport.com.
FOR BUSINESSES: Both Dun & Bradstreet Credibility Corp. and Experian are offering free credit-monitoring services for all South Carolina businesses that have filed state taxes since 1998. Dun & Bradstreet is offering lifetime credit-monitoring via its CreditAlert product. Visit DandB.com/SC or call customer service toll-free at 800-279-9881. Experian is offering one year of its Business Credit Advantage product at smartbusinessreports.com/SouthCarolina. The deadline to sign up for the Experian service is Jan. 31. There is no deadline to sign up for the Dun & Bradstreet service.
“From a state point of view, this is kind of the mother of all data breaches thus far,” said Larry Ponemon, chairman of The Ponemon Institute, which researches privacy and data protection.
By the numbers
Number of U.S. data breaches in 2012 attributed to hackers.
Number of records associated with those breaches.
Number attributed to South Carolina.
Number of intentional and accidental U.S. data breaches reported so far in 2012.
Average amount a data breach cost a U.S. company in 2009.
Maximum amount South Carolina will pay to enroll taxpayers in a credit monitoring service.
Portion of Texas residents who signed up for free credit monitoring after personal data was compromised on state computers in 2011.
Portion of South Carolina adults who signed up for free credit monitoring in the five days since the state's data breach was announced.
Privacy Rights Clearinghouse, PGP Corp., Ponemon Institute, Dallas Morning News and S.C. government
“It's a huge, big deal,” said Paul Stephens, director of policy and advocacy for the Privacy Rights Clearinghouse. Stephens said South Carolina's is the largest hacker-related data breach he has heard of involving a state government, but said that there have been larger attacks involving private companies and the federal government.
Hacking questions? We've got answers.
Reporters Brendan Kearney and Glenn Smith will answer your questions about the Department of Revenue hacking situation during a live chat Monday at 10 a.m. on postandcourier.com.
State officials have repeatedly said such a theft of data could have happened to anyone, and there's little that could have been done, but experts said South Carolina was apparently a soft target.
For more stories about the state Department of revenue breach, go to postandcourier.com/hacked.
At the University of South Carolina, the Center for Information Assurance Engineering researches and teaches information-systems security using courses certified by the federal National Security Agency.
Department Chairman Michael Huhns said it's “inexcusable” that sensitive information, including millions of taxpayers' Social Security numbers, was not better protected.
“Yes, people should be surprised — and upset — that the state's computers were breached this way,” Huhns said in response to emailed questions. “Yes, it represents slipshod security.”
Ponemon believes other states are just as vulnerable, because most states have poor data security.
“It shouldn't be viewed that the folks in South Carolina really messed up, because they are not worse than others,” Ponemon said. “My belief is that this could happen in almost any state in the United States today.”
Hackers, who infiltrate computer systems, are known to have breached 213 systems in the United States this year, according to the Privacy Rights Clearinghouse. Their targets ranged from small businesses to government institutions, and included universities, banks, hospitals, corporations and nonprofit groups.
In those cases, personal data such as names and addresses were stolen, along with passwords, credit card information and medical records. But the scope of the data hacking in South Carolina stands out because an estimated 3.6 million Social Security numbers were compromised along with 387,000 credit card records.
In terms of personal data, Social Security numbers are “the keys to the kingdom,” Stephens said. They are far more valuable than easy-to-cancel credit card and debit card numbers, and can be used to perpetrate identity theft.
“I think the big problem was that the data was not encrypted,” he said. “Certainly, it is the responsible thing to do if you want to protect data.”
Huhns agreed. He said determined hackers can breach any system, but the idea is to not be the easiest target.
Huhns said it's like the old joke about two hunters who meet a ferocious bear. One hunter says: “You know we can't outrun a bear,” and the other replies, “Sure, but I only need to outrun you.”
The same concept applies to avoiding hackers, Huhns said. He said it's a shame that state agencies haven't taken advantage of the center's expertise.
“We were hacked because we were an easy target,” said Huhns.
South Carolina officials have offered no specifics about how the Department of Revenue computers were breached.
The state has agreed to pay up to $12 million to enroll those who had filed state tax returns in a credit-monitoring service provided by Experian, called ProtectMyID.
In Texas, the Comptroller's Office responded similarly last year when about 3.5 million Social Security numbers and other personal data were left on a computer server that could be accessed by the public.
In that case, hackers were not involved. Unintended disclosure, like the one in Texas, is a common way private data can become public, along with insider theft, lost or stolen computers, and other means.
In the Texas incident, the comptroller ousted four employees, according to the Dallas Morning News, and hired new computer security experts, including a former Central Intelligence Agency employee.
As in South Carolina, Texans were offered free credit monitoring services. The bill could have reached $21 million, but only 3 percent of those eligible signed up, the Dallas newspaper reported, so the cost was only $600,000.
Even companies that handle credit monitoring and credit reports can be vulnerable.
Just days after South Carolina's data breach was disclosed, hackers struck Abilene Telco Federal Credit Union in Texas. By infiltrating an employee's computer, they were able to access the credit union's Experian account and download 847 credit reports, according to the Privacy Rights Clearinghouse.
Hackers seek out weak links in networks of computers, and sometimes find them in unlikely places. One of the largest commercial data breaches involved Sony's Playstation network, where online gamers' accounts contained personal and financial data.
“There are incidents that I call mega-breaches, like South Carolina's incident,” Ponemon said.
“In defense of the state of South Carolina, a beautiful state where I have family, a lot of data breaches involve government organizations,” he said. “One of the reasons, based on our research, is that the security posture of government organizations tends to be inferior of that of commercial organizations.”
Ponemon and Stephens said credit monitoring services can be helpful for those potentially exposed to identity theft, but putting a security freeze on credit reports offers more protection.
Reach David Slade at 937-5552 or Twitter @DSladeNews.