E-mail updates
Follow on Twitter
Subscribe to RSSA report is expected to be released Tuesday detailing how an unknown cyber hacker broke into South Carolina's computers and stole millions of tax returns from residents dating back years. NBC's Michael Isikoff reports.
COLUMBIA, S.C. -- A single malicious email sent to workers at the South Carolina Department of Revenue last August enabled an international hacker to crack into state computers and gain access to 3.8 million tax returns, including Social Security numbers and bank account information, in what experts say is the biggest cyber-attack ever against a state government, according to details in a report released Tuesday.
“We were a cocktail for an attack,” Gov. Nikki Haley said, referring to the necessary ingredients for cyberassault, as she released a report by a computer security firm Mandiant, which was commissioned to investigate the data breach. At the same time, Haley accepted the resignation of her Department of Revenue director, Jim Etter, and acknowledged that state officials “could have done more” to protect the personal data of state residents.
The release of the report came amid a mounting political uproar here over the cyberattack and criticism of Haley over her handling of the issue.
“I’ve gotten more phone calls and emails about this than anything else in the last four years,” said Tom Davis, a state senator and former chief of state to Gov. Mark Sanford. “There’s a great degree of anger and frustration over what happened. This is information you’ve got to give the government; if you don’t, they put you in jail. There’s a real sense of betrayal,” he said.
According to the Mandiant report, the cyberattack, which state sources say is believed to have originated inside Russia, started with a “phishing” scheme, a common tactic used by cyber criminals.
Last Aug. 13, a hacker sent multiple South Carolina Department of Revenue employees a malicious email containing an embedded link containing malware or a computer virus. When at least one of the employees clicked on the link, the malware was activated and allowed the hacker to steal the employee’s user name and password.
From there, the hacker was off to the races. Two weeks later, the attacker logged onto the remote-access service for Department of Revenue computers, using the credentials of an employee who had clicked on the Aug. 13 email. The invader then “leveraged the user’s access rights to access other Department of Revenue systems and databases with the user’s credentials,” the report states.
The attacker performed “reconnaissance activities” over the next several weeks, then started copying large amounts of data and transferring them onto zip files that were moved onto the Internet. The breach was not discovered until the Secret Service notified state officials on Oct. 10 that it had uncovered information that data on three state residents had been stolen.
Since then, Haley and other state officials have scrambled to react as the magnitude of the attack has become increasingly apparent. In addition to 3.8 million tax returns, including the Social Security numbers of 1.9 million children and other dependents, the hackers got access to data on 699,900 business tax returns and 3.3 million bank accounts.
The attack has exposed vulnerabilities that experts say will cause state governments across the country to reexamine their cyber-defenses. Although South Carolina had encrypted credit card numbers according to industry standards, it had never encrypted the Social Security numbers. And some cyber experts say there is evidence that that data may now be marketed on Internet black market sites that peddle personal information on millions of Americans.
Haley on Tuesday blamed the federal government for not requiring Social Security numbers to be encrypted. She released a letter to IRS Commissioner Steven Miller “to strongly encourage the Internal Revenue Service to require all states to have stronger security measures for handling federal tax information, particularly encryption of tax information that is stored or ‘at rest.’”
Leave a Comment:
Why won't MSNBC investigate the massive voter fraud/disenfranchisement that took place in Richland County, SC during this last election?
maybe it is time to go back to the good old pen and paper method.Then they would have to physically break in and take what they want.
Dont let the Republicans tell you that they want smaller federal government. They need the feds to blame when their own people screw up.
and who would you blame if it was'nt for Republicans?Now that is a fair question.
Why would a state wait for the Feds to require encryption of any information? Any Head of a state agency that is waiting to be told what to do like the use of common sense should get a massive pay cut and a revocation of any benefits. The same goes for any government employee that takes a laptop out of their workplace when it has sensitive unencrypted data.
Track the person down, if he's got an e-mail he has a modem. Find the international person cut their hands off pour sulfuric acid in the wounds and let them scream for a while then kill him. or just blame it on George Bush, yaw blame him for everything else
yeah Gary it would seem that it is far easier to blame Bush than to get to the truth of the matter.
Nobody had even mentioned 'Bush' until you two morons brought him up. If that's the best you can do at deflection, you better scurry back to FauxNews and reload your talking points....
This is terrifying, I'm going to have nightmares. I used to work for a worldwide fortune 500 company doing payroll. Back in 2001 we ceased allowing social security number access to anyone except for the highest level of personnel. Thank goodness. You can't turn over such sensitive data entry to just anyone, you have to have the appropriate personnel handling it. Who allowed this kind of sensitive data access to someone so inappropriate? Or, were they simply ignorant? That's the scary part, one ignorant individual who can do this much damage.......
Like most anti-virus programs.There cannot be a fix for a virus until it has been detected and someone already has the virus.Same deal with security break ins.
The Tea Party governor complaining she was not regulated from the feds? Did she lose her pocket Constitution? How so conveniently she forgot the 10th amendment. This proves once and for all that the TP movement has no intellectual core whatsoever. Continue being the stupid party GOPers!!!!
What an idiot.
Don't know why many of you are so outraged. Data breaches of this type involving SSN's have been happening at numerous universities and local school systems all over the country. At 17, when applying for student loans, my niece discoverered she apparently owned a home and had an entire credit history she and her parents knew nothing about. My husband's sister and her husband had someone else file for a refund using their SSN's last year and they had to file a specially flagged return with the IRS and can't get the refund they are due. Get your heads out of your asses people. The Social Security Administration aids and abets the criminals because they don't share information with the IRS when SSA knows when more than one employer reports income under a SSN but under multiple names that don't match up. In my area, a Chase Bank customer service rep was charged with stealing the financial identities of bank clients. Also, when doctor's offices have gone bankrupt, dumpster divers have found patient records in dumpsters that have included SSN's. And, don't forget, if you watched the Democratic National Convetion, some dumb woman held up her Medicare card with her SSN on it for a camera close up. Her number was plastered all over YouTube within an hour. This can happen anywhere and at anytime. European countries don't use one number to ID you for everything and we don't need to either.
I live in South Carolina. The State Government has already started notifying state residents of free credit reports and identity theft protection through Experian and other services via various agency websites and through local media such as The State Newspaper in Columbia so that people who might have been victimized can be protected. The problem, of course, is that there are hundreds and thousands of tax returns that were downloaded. These services are certainly not 'free' and, of course, the State of South Carolina is going to have to pay for them. Ultimately, guess who is eventually going to have to pay for these protections and credit monitoring services? US! The residents of South Carolina! For someone who campaigned as being fiscally frugal, our dear, sweet, governor is doing us no favors!
this is the same govenor who responded to my concern about texting and driving by saying" safety is a personnel issue". she also said "god bless", which i don't think is appropriate when it concerns government. if safety is a personnel issue then i guess drinking and driving is also a personnel issue. i think tea party folks are very one issued. south carolina is a backward state that cannot get much done, re. road projects. oh well enough said
Some of you Democrats really need to lay off with the political sarcasm.this article had nothing do do with politics,yet you insist on bringing up things that had nothing to do with hacking.Maybe there is something to this.That's right...the Democrats did this (since they are so smart)to make the Republicans look bad(since the republicans are so dumb)yup i am sure of it now that the Democrats are behind this one.I don't even need proof because they are the only ones smart enough and devious enough to pull this off.this is all about sarcasm,i know they did'nt do it but, it's just as absurd to blame the Republicans.
HA HA!!!
Typical Politian put the blame on someone else instead of just saying "Darn I screwed up and should have watched out for my tax payer's information.
Let's cut off ALL Welfare in SC, to buy more security for your computers. Sounds like a winner to me.
Had SC changed the SS system the feds would probably sue the state as it being unconstutional and withhold some form of grants and moneys, then they'd say it was not a real problem.
Ha Ha !!!
Just last week the Party of NO voted down a bill proposed by the Administration that would significantly improve cyber security. Now Mitch McConnell and his monkeys, such as Dean Heller from Las Vegas, are looking for a Scape Goat to take the wrap for the Republican stance against Everything except WELFARE FOR THE RICH & GREEDY.
The Governor should look in the mirror as she practices her "explanation" to her taxpayers as to why their data remains unsafe -- STILL.
Nicki Haley,
Makes me want to GAG!!!! What a hypocrite!!!! ......She should spend less time trying playing politics and do here DAMN JOB!!!
why can't they just say that someone out smarted them and broke into the system?It would be more logical to find out who the heck did this and stop them from doing more rather than pointing fingers and saying it's your fault this happened.
This dumb blond Tea Bagger has put her entire state at jeopardy for Identity Theft all because she was pre-occupied with her GOP/Tea Bagger looser friends trying to win the Nov 6 elections. The honest hard working citizens of South Carolina should be demanding to recall her lame but for impecahment. she is is one that was being groomed to bigger and better things in the Tea Party. She isn't any better than that air head Sarah that was running for VP.
keep pointing fingers and this case will never get solved
Hey, Nikki,
Do you have a clue as to how STUPID and IDIOTIC you sound with that whine?
Do you even have a clue, period?
Typical GOP hypocrite. Hate the feds. Until you need them. And then whine because they aren't there yesterday!
No wonder the GOP has lost the national vote 5 of the past 6 presidential elections.
A typical Tea Bagger, acnnot accept defeat. Poor John mcain and Mitt the idiot Roomney are still living in an after shock after they were whipped like step kids by the Commander-inChief. And their running mates Sarah and Paul have just plum flipped out with denial and retreat. Down with those ignorant Tea Baggers. GOP, if you have any chance in regaining recognition, PLEASE PLEASE PLEASE distance yourself from those ignorant Tea Baggers. A Tea Bagger (Sarah Paulin) took John Mcain down and Tea Bagger looser Paul took Mitt the looser down.
Waddadumass this has nothing to do with that....
Only an idiot clicks on an unsolicited email link. Clicking on a link from somone you know is sketchy. Disabling all email links automatically for all state or federal workers would be a good start.
I am constantly amazed at the number of private and public employers who allow "external" email to flow
from the public internet into the employers private network without significantly more security and screening. Unauthorized email and unauthorized internet usage is by far the most common method of malicious entry and hacking.