Official: Hacker used two vulnerabilities to get into S.C. Revenue database
BY STEPHEN LARGEN AND GLENN SMITH
COLUMBIA — The hacker who scored a gold mine of South Carolina taxpayer information exploited vulnerabilities in a state computer system to score his illicit prize.
That is the verdict of Marshall Heilman of Mandiant, an information technology firm hired to aid the state’s cyber-security efforts following the breach. Still, Heilman said, the company’s stance is that a determined and advanced attacker will always find a way to get into a system.
Another expert, however, said the vulnerabilities suggest that the state wasn’t doing enough to safeguard the sanctity of its system and the sensitive information it contained.
Meanwhile, the state revealed Wednesday that an additional 200,000 tax records were compromised by the breach, bringing the total number of affected taxpayers to 3.8 million.
S.C. Department of Revenue officials initially put the number of hacked Social Security numbers in tax records at 3.6 million.
Heilman said the hacker targeted unsecured, third-party software on a state computer system. The attacker tricked a user into opening a malicious file that took advantage of that vulnerable software, he said.
Revenue’s login system for the computer also did not have the strongest protections available to verify users trying to get in, Heilman said.
That allowed the hacker to use employee credentials likely stolen during an initial attack in August to remotely access the department’s computer and harvest information from its database, Heilman said.
The director of the Revenue Department told state senators in a hearing last month that the hacker used agency credentials to access the database that contained millions of Social Security numbers and other sensitive taxpayer information. About 250 employees had credentials to access the database, Director James Etter said.
Heilman said the technique used by the hacker is a common occurrence.
“We respond to hundreds of incidents a year; many of the companies we respond to are very security-conscious and have very talented and dedicated security teams,” Heilman said. “It is possible to make it extremely difficult for an attacker to gain access; however, there is never a guarantee.”
Every known hole used by the hacker has since been plugged, Heilman said.
Larry Ponemon is chairman and founder of the Ponemon Institute, a Michigan-based think tank dedicated to privacy and data-protection practices. He agreed with Heilman that such attacks are fairly common and that hackers can be relentless in their pursuit of an opening to exploit.
But Ponemon said that’s no excuse for the state not to ensure that its software was up to date and “patched” with the latest security fixes to protect the data.
Ponemon compared the situation to a homeowner leaving his back door open or the keys in the ignition of his unlocked car. A determined thief could find other ways to get in, but the homeowner just made the crook’s job a whole lot easier, he said.
“Even if a company or agency is vulnerable and they are not the only ones, that is still not a valid excuse,” he said. “The state has an obligation to have good security.”
A standardized, state-government-wide approach to information technology and security may have required two-factor authentication to remotely access state resources, Heilman said.
Such a system might require a password and additional verification, such as a check of the computer’s IP address or a special browser code, other experts said.
Such a system is not in place in South Carolina, but has been floated in the wake of the cyberattack.
Two-factor authentication is considered a best practice, Heilman said, but isn’t always used.
“There were a lot of security mechanisms in place” the Revenue Department, he said. “Unfortunately the attacker only needed to find a way to exploit one vulnerability, whereas the state is responsible for securing against thousands of vulnerabilities.”
The Revenue Department wasn’t using an available layer of state security at the time of the breach.
The cyberattack compromised Social Security numbers for people who had paid state taxes since 1998, thousands of credit and debit card numbers and information from as many as 657,000 S.C. businesses.
Last week, Haley said the state had spent $125,000 on Mandiant’s services to deal with the breach. The Department of Revenue, in an Oct. 28 projection, estimated that the final bill will run to about $500,000, agency spokesman Samantha Cheek said.
The state is also paying a communications firm $160,000 in part to help create and place advertisements informing taxpayers of how they can receive help. In addition, the state estimated it will spend another $741,000 for mailings to notify 1.3 million people now living out of state of the breach, Cheek confirmed.
State officials have urged taxpayers to sign up for a year of free credit monitoring through Experian that it is paying $12 million to obtain.
As of Wednesday morning, the Experian call center set up to assist South Carolina taxpayers had received approximately 728,701 calls. Some 693,272 people had signed up for Experian’s ProtectMyID program, said Rob Godfrey, spokesman for Gov. Nikki Haley.