E-mail updates
Follow on Twitter
Subscribe to RSSA report is expected to be released Tuesday detailing how an unknown cyber hacker broke into South Carolina's computers and stole millions of tax returns from residents dating back years. NBC's Michael Isikoff reports.
COLUMBIA, S.C. -- A single malicious email sent to workers at the South Carolina Department of Revenue last August enabled an international hacker to crack into state computers and gain access to 3.8 million tax returns, including Social Security numbers and bank account information, in what experts say is the biggest cyber-attack ever against a state government, according to details in a report released Tuesday.
“We were a cocktail for an attack,” Gov. Nikki Haley said, referring to the necessary ingredients for cyberassault, as she released a report by a computer security firm Mandiant, which was commissioned to investigate the data breach. At the same time, Haley accepted the resignation of her Department of Revenue director, Jim Etter, and acknowledged that state officials “could have done more” to protect the personal data of state residents.
The release of the report came amid a mounting political uproar here over the cyberattack and criticism of Haley over her handling of the issue.
“I’ve gotten more phone calls and emails about this than anything else in the last four years,” said Tom Davis, a state senator and former chief of state to Gov. Mark Sanford. “There’s a great degree of anger and frustration over what happened. This is information you’ve got to give the government; if you don’t, they put you in jail. There’s a real sense of betrayal,” he said.
According to the Mandiant report, the cyberattack, which state sources say is believed to have originated inside Russia, started with a “phishing” scheme, a common tactic used by cyber criminals.
Last Aug. 13, a hacker sent multiple South Carolina Department of Revenue employees a malicious email containing an embedded link containing malware or a computer virus. When at least one of the employees clicked on the link, the malware was activated and allowed the hacker to steal the employee’s user name and password.
From there, the hacker was off to the races. Two weeks later, the attacker logged onto the remote-access service for Department of Revenue computers, using the credentials of an employee who had clicked on the Aug. 13 email. The invader then “leveraged the user’s access rights to access other Department of Revenue systems and databases with the user’s credentials,” the report states.
The attacker performed “reconnaissance activities” over the next several weeks, then started copying large amounts of data and transferring them onto zip files that were moved onto the Internet. The breach was not discovered until the Secret Service notified state officials on Oct. 10 that it had uncovered information that data on three state residents had been stolen.
Since then, Haley and other state officials have scrambled to react as the magnitude of the attack has become increasingly apparent. In addition to 3.8 million tax returns, including the Social Security numbers of 1.9 million children and other dependents, the hackers got access to data on 699,900 business tax returns and 3.3 million bank accounts.
The attack has exposed vulnerabilities that experts say will cause state governments across the country to reexamine their cyber-defenses. Although South Carolina had encrypted credit card numbers according to industry standards, it had never encrypted the Social Security numbers. And some cyber experts say there is evidence that that data may now be marketed on Internet black market sites that peddle personal information on millions of Americans.
Haley on Tuesday blamed the federal government for not requiring Social Security numbers to be encrypted. She released a letter to IRS Commissioner Steven Miller “to strongly encourage the Internal Revenue Service to require all states to have stronger security measures for handling federal tax information, particularly encryption of tax information that is stored or ‘at rest.’”
Leave a Comment:
Nikki Haley is a disgrace to her ethnicity, her gender, South Carolina, and the United States of America. The GOP will probably run her as Sarah Palin's running mate in 2016. And too many ignorant saps will vote for them.
Well maybe this will keep people from moving to SC. It is amazing those that move here- because they like our state - yet they want to change it. This was the Dept of Revenue mistake. She is trying to correct the problem.
I agree... And for anyone who does move to SC, leave your liberal tax everything that breaths ideas in the state you defected from. I have friends who live in other states, such as NY, that have had their identity's stolen. Thousands of dollars and several years later they still don't have their records cleared. I would bet that half of you people on here calling for a public flogging and hanging of Haley don't even live in SC.
This was/is the State Dept of Revenues problem and Haley is trying to correct it. I, along with millions of other state residents, certainly wish that this had never happened. The only good thing to come out of it for my family and I is that it finally pushed us into doing something that we should have done years ago, get ID protection. I wish that they would incorporate a tax of $20 on all state tax returns payable to ID protection services and enroll us annually, automatically...
Does anyone know if this affects residents who have filed tax returns only or does it also involve children who were born to taxpayers and issued a social security number? It's been a few years since having dependents on my taxes but I seem to remember that you had to put their SS # on the form?
Does anyone think we should just go back to the old way of doing things? Hard copies filed by real people creating real jobs?
ok, this whole topic just turned even more stupid than it was to begin with.Some of you Democrats are just as much a problem as the Republicans.dmill you must be the democrat version of Rush Limbaugh.Your personal hatred for Republicans is only matched by your ignorance.I bet you watch Hannity and Limbaugh to get ideas on how to bash on people.You sir are no better than the tea baggers that you bash.and the same goes for the rest of your so called little buddies that have nothing better to do than create more problems than we already have.If it were up to me i would be sizing you up for a muzzle and i am not even a Republican.
She should stepdown. She wants to blame everybody else for here failure including Obama
thank god for technology. Used to be someone had to steal your checkbook first. The show "revolution" is looking more realistic all the time.
kinda reminds me of the show NETFORCE
lancepilot,
You're really good at picking the wrong target. Read my earlier post. The digital revolution was over long ago.
Isn't it strange? Before when "the good ol' boys" of SC were in charge, we didn't have these kind of problems! It's only been since the Haley, Graham, DeMint bunch took office! Too many corrupt Republican corporate political puppets destroying Democracy and the American way of life!
3.8 Million Tax Returns with social security & bank accounts BREACHED! How ridiculous can it get! And, then on top of it telling their people in this cyber age it's bound to happen! CAN YOU BELIEVE IT!! They must think the American People in SC are stupid!!
It's time to vote these political puppets out of office and give it back to the good ol' boys, at least they took good care of their people! This current bunch of political puppets need to ALL RESIGN!
the democrats did it to make the Republicans look bad..are'nt you in on it too?
They are stupid to elect a Tea Bagger as their Governor.
wolfhound27 No your just paranoid after getting you but kicked in the election.
The employee that opened the email was a democrat...
What's that? You mean Democrat
now how would you happen to know that? U Gotta?
I have my sources...
Hey guys, please go easy on the South Carolinians. You got a bunch of good old redneck boys down there being overpaid why they sit on their sorry ignorant behines sending raceist cartoons and designing new confederate flags when they should be doing what they're paid for, protect the people of South Carolinas. I recently visited their Capitol and you can count the minorities on one hande working in that building. Not one single Gay person around. You got some ignorant raceist Tea Baggers in that part of the country. Impeach this broad.
yeah impeach her,it would be good practice for when it's obama's turn.
Your the govenor and you don't have the brains to protect your states tax info. Well, it is South Carolina. Enough said.
Dear Gov. Nikki Haley,
Someone is blowing smoke up your skirt. Checking that SSNs cannot be read in plain text in a database or in TCP/IP packets is an fundamental software testcase when testing software that recieves, transmits, or stores private data.
This situation is the fualt of inexperenced/unknowledgeable software developers, and testers.
The Democrats did it to blame the Republicans and cause more trouble..then hired people to post the anti-Republican posts here online!!!!!!
If we had we would have got rid of all you good old boys
Like the Republicans say we don't need rules and regulation. No one will cyber attack us we can watch out for ourselves. I don't want anyone telling me how to run things.
ever heard of the 10th fleet?look it up it's a navy thing.
"Haley on Tuesday blamed the federal government for not requiring Social Security numbers to be encrypted"
Poor Gov. Haley, instead of prancing around with the tea baggers she should been home running her state a little better.
I thought states could do everything better?
If this wasn't so serious, it would be outragously hilarious. This happed in our state a few years ago with a military related database. What was offered to correct it? One year of free credit checks. I know, let's lock the barn door because the horse got stolen. There will always be outside source cyber attacks. As a former computer network administrator I learned that a huge percentage of the damage comes from within: From untrained and undertrained personnel, users opening every piece of E-Mail junk that comes in, clicking on every Internet button that pops up, etc. The list is endless. Then the user calls up for help and says that something is wrong with the same old slogan "I didn't do anything..." By the way, there is no politics with this issue. Just plain stupidity. Oh I forgot about another computer breach. Leaving your work laptop unattended, like in your car, and finding it stolen. That is always a good one to see users dance around. Have a good day!
thankyou i agree 100% you are correct.
and yet another example of democrat sabatage..really?
All your posts are the same just copy- paste
have a good time with that.just seeing if the democrats can handle a little bit of what they are dishing out.
Haley is not to blame. Any computer system can be broken into anywhere, anytime. Do you think for one minute that the intruder thought or cared about what political party the Governor belonged to? Of course not. Or the employee who clicked the link? Politics are completely irrelevant. This can happen to anyone-and increasingly will. Is it the federal government's responsibility to protect everybody's data everywhere all the time? I doubt that anyone would like to see that amount of control exerted by any government, no matter what political persuasion they are. Should SC's systems be more secure and sensitive data be protected? Of course. How many states have similar systems and levels of protection? Way more than you want to know. Leave the damn politics out of this discussion if you're interested in coming up with some kind of solution.
heck the NSA records many attempts every day to break into federal government mainframes.
You could buy one of these social security numbers, but who would want to be identified as a South Carolina resident.
Hell no I would probably do like that Republican in Florida did after the election
I've got one I'll sell ya... One little problem though, don't file any taxes with it, you'll probably be paying for all of those MEDICARE bills that they paid and then 6 months later took their money back... I guess that's what the Obama Administration counts as "money saved" in MEDICARE...
Besides, the people who purchase SS #'s don't give a rats a$$ what state the number is associated with. Why even Obama's starts with a number affiliated with a state he never lived in!!!
You are one of the factless GOPers.
One more thing. I've written this type of bug in several software products over the years. Some companies blow it off as, "well, an attacker can only see your packt throught TCP/IP only if they can get into your network, but since we're behind a firewall..."
Most common translation = Developer doesn't know how to encrypt data when it's captured in the form on the web page, and transmit and store the hash.
What I see is people working for these agencies that don't know a thing about what they are doing and don't care as long as they get that check every week. We put or we let our government put people in positions just because they know them, not because these people know what they are doing. It's time we start testing people for jobs. Even our President puts people in positions they don't belong in and those that are best qualified for a job are over looked because they are the wrong political party. It's time we take our government back and we make it a requirement you know what the position you're applying for is one you know.
I see what you describe all the time, but because software developers are so smart, the big wigs don't want to believe the software QA Engineer (professional hackers).
one fact about the government that will always be true...your life and security will always go to the cheapest bidder.
Like Jumpin Joe ,the hairplug king?
The biggest Oxymoron out there... Information Security. All it took was one moron to click a foreign link and... Whoops. Yeah, there is no common sense and no IT Security training. My computer requires you certify once a years that you understand about Information Security.
there are some people out there who just can't resist the click.
A story which only proves that there still is NO cure for stupid!!! I work for a small company and if there is a breach - they take everything offline immediately until passwords are changed or the system is patched. Amazing that an ENTIRE State dealing with such sensitive information can't figure this out. And to let the intruder put together Zip files for migration? They must all be sleeping on the job!!
vigilence is a keyword here.
What we need is a new federal government department and a seat in the presidents' cabinet.The Department of Social Security Encoding and other Shyt
actually the NSA already has that taken care of but they only handle federal issues not state.
It seems like someone isnt updating theyre antivirus/spyware programs and clicking unknown links on theyre emails... If u currently dont run a professional type antivirus program, purchased or given to you from your'e ISP or employer.. then shame on you!! With hacking at an all time high, everyone needs to have lots of max. protection and also quit hitting email links. Oh btw.. most virus/spywares are seen on ... apparently they wont let me link this from Norton. There's also reports of religious sites loading malwares. I'm not a computer specialist, but once you have been attacked you will never again, if you're smart enough to investigate it.
No kidding! I was hacked during the early use of WiFi.Someone in my neighborhood got into my computer,got into my bank account,credit cards and ran up a $20000 bill before anyone(me) found out.They put a program over my real bank account that looked real but was nothing but something ismilar to a video camera recording a convenient store.It's all history and my was lopped!It a disaster that took me years to undo.My security has a security system.
I live in SC and it's even worse than this report. Haley and her cronies new about this for several weeks before the public was told. This state is so backward and last in everything. Haley is in over her head. If she at least paid attentrion to the state's business, but she no sooner got in office that she wrote a book. Republicans have been touting her as a future presidential candidate. I hope they do to get that incompetent Tea Party favorite out of here.
What a hypocrite. She was offered the software to encrypt data for free and turned it down and said since banks didn't do it she wasn't either but she was not comparing apples to apples. She is clueless.
I got an email today from Regions Bank then a message that this was tied to a phishing scam. First time ever. I guess my info has been sold on the internet blackmarket. We are so cursed to have so many Tea Party people here. Something else for those old geezers to be proud of.
Ya her and Palin the dream team for the pub's. Palin sold out to the globalist.
Florene, those bank related phishing scams have been going on for years. Haven't you ever read articles on sites such as MSN that tell you about these scams? Especially the ones that the scammers use virtually undetectable company or bank logos in their phony emails. How about the latest and greatest virus attacks?
If what I've read in other articles is correct and I understand it right, the problem in SC is that all of their data banks are not linked and the software would have to be installed separately throughout every agency. It is time consuming and costly, but I do agree that it needs to be done immediately. The problem is that like individuals, states don't think things like this will ever happen to them and when it does it's devastating. I also think that one year of ID protection is not enough. The thief (thieves) could sit on this info for a year and then wreck havoc. I think the protection should be for five years. This would make the perp more likely to get impatient and get caught quicker???
The Fed shouldn't have to make up rules to require states to encrypt info. That's a no brainer. This also could be a false flag OP to compromise banking and implement stronger martial law in the USA (patriot act). Ole GW did that all by his self. It's call haileon dialectic. Create crisis and have the answer that misleads good people to make poor decisions. Wow repub's run the state government. They musta saved a bundle by not making requirements to take a few added steps to protect personel info.