South Carolina Hit By Massive Data Breach

The theft of approximately 3.6 million Social Security numbers and information on 387,000 credit and debit card accounts from government systems of the US state of South Carolina is yet another reminder that all IT operations should lock down their sensitive data by segmenting their networks, using better access controls, and regularly performing vulnerability assessments, security experts said.

On 26 October, the South Carolina Department of Revenue announced that attackers had breached its systems in September, following two previous attacks in August. The attacks exploited an unspecified vulnerability in the system, which the state agency closed on 20 October.

Sensitive data

The online thieves who breached its network took a large amount of sensitive information on any taxpayers that had filed tax returns since 1998.

“The number of records breached requires an unprecedented, large-scale response by the Department of Revenue, the State of South Carolina and all our citizens,” South Carolina Governor Nikki Haley said in the statement. “We are taking immediate steps to protect the taxpayers of South Carolina, including providing one year of credit monitoring and identity protection to those affected.”

Millions of sensitive records have been taken from US government systems in recent months. In April, a hacker used a weak password to break into a server managed by the Utah Department of Technology Services and steal Social Security numbers and medical information on 780,000 people. In 2011, systems at Massachusetts’ Department of Unemployment Assistance and Department of Career Services were infected with a malicious program that may have taken sensitive data on 210,000 job seekers.

“If you think about it, a lot of our information is held by state and local governments,” said Anup Ghosh, chief executive of security firm Invincea. “Traditionally, they have lagged, but if you look at the data that they have, they really can’t afford to be behind.”

Private corporations have not done much better. In 2012, data-breach incidents have hit an all-time high, nearing 1,200 incidents, according to the Data Loss Database, an organisation that tracks publicly available information on a variety of breaches, from hacks to lost hard drives.

Limiting access

Companies as well as government agencies need to better limit access to data and ensure that any sensitive information is encrypted while stored. By segmenting networks to restrict access to only necessary personnel as well as cordon off malware from using an insider’s machine to steal information, companies and government agencies can be more certain that they are not leaking information. Finally, regular vulnerability scans can help find and close potential backdoors that could lead to a breach, as in the South Carolina case.

“Cases like this continue to raise awareness of the shortcomings of traditional infrastructure security in keeping sensitive data safe,” Mark Bower, vice president at data-protection provider Voltage Security, said in a statement on the Department of Revenue breach. “If data is not protected, it’s going to be breached at some point. And if an organisation can’t protect data wherever it goes, the data shouldn’t be on vulnerable systems that can put thousands of people’s identities at risk if compromised, lost or stolen.”

What do you know about Windows? Take our quiz.

Originally published on eWeek.

Robert Lemos

Robert Lemos covers cyber security for TechWeekEurope and eWeek

View Comments

  • Governments, and especially small governments such as local councils are increasingly at risk of being hacked. The culture of prevention is just not in there yet despite all this issues. It's far cheaper to establish security measures (not only firewalls but security strategies and culture) than trying to repair damages.

Recent Posts

Apple Sales Rise 6 Percent After Early iPhone 16 Demand

Fourth quarter results beat Wall Street expectations, as overall sales rise 6 percent, but EU…

24 hours ago

X’s Community Notes Fails To Stem US Election Misinformation – Report

Hate speech non-profit that defeated Elon Musk's lawsuit, warns X's Community Notes is failing to…

1 day ago

Google Fined More Than World’s GDP By Russia

Good luck. Russia demands Google pay a fine worth more than the world's total GDP,…

1 day ago

Spotify, Paramount Sign Up To Use Google Cloud ARM Chips

Google Cloud signs up Spotify, Paramount Global as early customers of its first ARM-based cloud…

2 days ago

Meta Warns Of Accelerating AI Infrastructure Costs

Facebook parent Meta warns of 'significant acceleration' in expenditures on AI infrastructure as revenue, profits…

2 days ago

AI Helps Boost Microsoft Cloud Revenues By 33 Percent

Microsoft says Azure cloud revenues up 33 percent for September quarter as capital expenditures surge…

2 days ago