Official: Hacker used two vulnerabilities to get into S.C. Revenue database
COLUMBIA — The hacker who landed a gold mine of S.C. taxpayer information by breaching a state database exploited two specific vulnerabilities in the attack, according to an official from a firm hired to aid the state’s cyber security efforts.
Still, the official said, the company’s stance is that is that a determined and advanced attacker will always find a way to breach a system.
Marshall Heilman with information-technology firm Mandiant said the first vulnerability was the use of unsecured, third party-software on a state computer system. The attacker was able to trick a user into opening a malicious file that took advantage of the vulnerable software, he said.
The Department of Revenue’s login system for the computer also did not have the strongest protections available to verify users trying to get in, Heilman said.
That allowed the hacker to use employee credentials likely stolen during the first attack to remotely access the revenue department’s computer and harvest information from its database, Heilman said.
The director of the S.C. Department of Revenue told state senators in a hearing last month that the hacker used agency credentials to access the database.
About 250 employees had credentials to access the database, Revenue Director James Etter said.
Heilman said the technique used by the hacker is a very common occurrence.
A standardized, state-government wide approach to information technology and security may have required two-factor authentication to remotely access state resources, he said.
Such a system is not in place in South Carolina, but has been floated in the wake of the cyberattack.
Two-factor authentication is considered a best practice, Heilman said, but isn’t always used.
“There were a lot of security mechanisms in place at [the Revenue Department],” he said. “Unfortunately the attacker only needed to find a way to exploit one vulnerability, whereas the state is responsible for securing against thousands of vulnerabilities.”
The Revenue Department wasn’t using an available layer of state security at the time of the breach, The Post and Courier has reported.
Meanwhile, state officials have discovered that an additional 200,000 tax records were compromised by the breach, bringing the total number of affected taxpayers to 3.8 million.
State Department of Revenue officials initially put the number of hacked Social Security numbers in tax records at 3.6 million.
Agency spokeswoman Samantha Cheek said today that number was an early estimate, and she confirmed that the tally has since grown.
The cyberattack compromised Social Security numbers for people who had paid state taxes since 1998, thousands of credit and debit card numbers and information from as many as 657,000 S.C. businesses.
Read more in tomorrow’s Post and Courier.