E-mail updates
Follow on Twitter
Subscribe to RSSA report is expected to be released Tuesday detailing how an unknown cyber hacker broke into South Carolina's computers and stole millions of tax returns from residents dating back years. NBC's Michael Isikoff reports.
COLUMBIA, S.C. -- A single malicious email sent to workers at the South Carolina Department of Revenue last August enabled an international hacker to crack into state computers and gain access to 3.8 million tax returns, including Social Security numbers and bank account information, in what experts say is the biggest cyber-attack ever against a state government, according to details in a report released Tuesday.
“We were a cocktail for an attack,” Gov. Nikki Haley said, referring to the necessary ingredients for cyberassault, as she released a report by a computer security firm Mandiant, which was commissioned to investigate the data breach. At the same time, Haley accepted the resignation of her Department of Revenue director, Jim Etter, and acknowledged that state officials “could have done more” to protect the personal data of state residents.
The release of the report came amid a mounting political uproar here over the cyberattack and criticism of Haley over her handling of the issue.
“I’ve gotten more phone calls and emails about this than anything else in the last four years,” said Tom Davis, a state senator and former chief of state to Gov. Mark Sanford. “There’s a great degree of anger and frustration over what happened. This is information you’ve got to give the government; if you don’t, they put you in jail. There’s a real sense of betrayal,” he said.
According to the Mandiant report, the cyberattack, which state sources say is believed to have originated inside Russia, started with a “phishing” scheme, a common tactic used by cyber criminals.
Last Aug. 13, a hacker sent multiple South Carolina Department of Revenue employees a malicious email containing an embedded link containing malware or a computer virus. When at least one of the employees clicked on the link, the malware was activated and allowed the hacker to steal the employee’s user name and password.
From there, the hacker was off to the races. Two weeks later, the attacker logged onto the remote-access service for Department of Revenue computers, using the credentials of an employee who had clicked on the Aug. 13 email. The invader then “leveraged the user’s access rights to access other Department of Revenue systems and databases with the user’s credentials,” the report states.
The attacker performed “reconnaissance activities” over the next several weeks, then started copying large amounts of data and transferring them onto zip files that were moved onto the Internet. The breach was not discovered until the Secret Service notified state officials on Oct. 10 that it had uncovered information that data on three state residents had been stolen.
Since then, Haley and other state officials have scrambled to react as the magnitude of the attack has become increasingly apparent. In addition to 3.8 million tax returns, including the Social Security numbers of 1.9 million children and other dependents, the hackers got access to data on 699,900 business tax returns and 3.3 million bank accounts.
The attack has exposed vulnerabilities that experts say will cause state governments across the country to reexamine their cyber-defenses. Although South Carolina had encrypted credit card numbers according to industry standards, it had never encrypted the Social Security numbers. And some cyber experts say there is evidence that that data may now be marketed on Internet black market sites that peddle personal information on millions of Americans.
Haley on Tuesday blamed the federal government for not requiring Social Security numbers to be encrypted. She released a letter to IRS Commissioner Steven Miller “to strongly encourage the Internal Revenue Service to require all states to have stronger security measures for handling federal tax information, particularly encryption of tax information that is stored or ‘at rest.’”
Leave a Comment:
Because MSNBC wants you to think and react exactly the way you are, they do not tell you that Haley actually said "South Carolina is compliant with IRS rules, but the IRS does not require SSNs to be encrypted" and she sent a letter to the IRS suggesting they begin requiring encryption in their standards. The statement in the story "blamed the federal government for not requiring Social Security numbers to be encrypted" is an absolute lie. They also do not tell you that your fellow patrons spent 3 weeks finding every media outlet that would listen and complaining that Haley did not tell them first when the Fed investigators requested nothing be said for 2 weeks while they tracked the breach instead of dealing with the problem or that the foremost of them all, who is an ex-politico that voted out of office and happens to be a lawyer and has a record of failed lawsuits against Haley, is filing lawsuits. Amazing how many took this as an excuse to spout insults and half wit comments. Almost as amazing as how this story is intentionally misleading. Really makes all those media educated comment quite funny.
This is a state government issue. It was state taxes. There are already ways to secure computers. Tax computers can be encrypted and on totally separate servers, routers and hubs that will not interface with computers that handle email traffic. That is what they should have done. It is easy. Setup computers that handle taxes no access to internet explorers. There is software that can get the user to send in his information secure and not allow internet explorer access. Some schools already do this for students.
ncm-3128591,
I'm wondering if the breach will be traced to the outsourced software vendor in India who left the back door open whether intentional or not.
The letter to the IRS is funny though. I think as Governor, she can require that state computers containing personal information be secure.
Social Security numbers are like the passwords to each person's existence and are probably even more important to be encrypted than credit card or other account numbers. Of course, the cheap-o SC government didn't think this was important. If this was any commercial enterprise, this would totally be grounds for a mass lawsuit that would probably completely bring the company down, but oh yeah, you can't sue the state.
The worst part of all of this is that no one of significance will probably go to jail, because we all know that jail is for social rejects and not the regular joe next door who just made "an honest mistake."
Pathetic.
My local paper covered this as well. They had out dated computers inadequate security. For years we have had commercially available random encryption keys. This all started because of a spam email. It is astonishing. A college student could have setup them up with a better system. The state could be sued. We all know the latest and greatest Firewalls do not function well with outdated limited computers. The latest stuff needs faster processors and much more RAM than the old computers had.
This is Big Government at its best. What hypocrisy! Just go to a flat tax or a national sales tax where everyone contributes and is equitable, but then Obama never would have gotten re-elected then would he!
You started out with a decent proposal. Then blew your credibility at the end.
Flat tax or sales tax would eliminate tax returns. However, the use of your SSN has become so widespread by companies who really have no need for the info.
Your SSN should ONLY be used if you are applying for or receiving FEDERAL assistance of any kind. But show me a doctor, dentist, insurance, bank that doesn't collect that info.
It appears that it is the business policies and American legislation that require that all personal data be collected on citizens before a citizen can buy or sell anything...............so all the thieves have to do is hack the data base............that is created by mankind!! The thief job has been made easier because of legislation passed by our elected public servants that we vote into office...........remember the "Patriot Act, The Protect America Act, The National Defense Authorization Act, F.I.S.A.?" All of these acts makes it easier for personal information to be stolen by thieves, who are hackers!! Stealing is so legal in the world today!! Even General Petraeus emails have been exposed and he was the head of the C.I.A.!! I am so amazed when America elected public servants create their own enemy agencies to catch the terrorist and the same agencies catches top ranking Generals!! I am waiting to see which legislator and appointed citizen emails will be exposed next............What about the Supreme Court Justices? Anonymous we are waiting! Just my thoughts!!
I wonder if she was the one who opened the offending email?
Not until the penalities for this crime are drastically increased will the public be safe.
Makes me wonder about the govt lack of concern for our security on the internet, they seem to think no one will ever take advantage of our weaknesses....