While the hacker attacks on big banks generated headlines and attracted mass attention, hackers – this time from across borders, made the most of this opportunity to execute a well-planned attack of a much more serious nature. Although this appears unrelated to the bank attacks, hackers in this case infiltrated the databases of the South Carolina Department of Revenue, to steal Personally Identifiable Information (PII) including 3.6 million Social Security Numbers, about 400,000 credit card numbers, and individual tax returns.
Although the breach seems to have begun in late August this year, it was not detected by the state government officials until the 10th of October, and the public was not notified about the loss of their PII until the 26th. While it is still unclear as to how the databases were accessed by criminals, it seems that state-approved credentials have been used to access the databases. But how these credentials were obtained by hackers is unclear. Though there is a possibility that the credentials could have been stolen, or an insider accomplice may be involved, there has been no evidence in the matter as yet.
This incident has taken the state government by complete surprise, and it clearly ranks as one of the most serious cyber crimes. Several issues remain to be addressed in this incident, one of the most important being the extent to which encryption was used, and the other being the issue of the contractor not detecting anything although the system was scanned for vulnerabilities in the months of September and October.
The state has been forced to hire a new contractor to ensure the security of the systems, as well as a lawyer to provide advice in the matters of liability. In addition to this, the state has also agreed to pay Experian up to $12 million for credit monitoring for victims. Although more action is awaited in this matter, and a complete account of how the hacking incident occurred is yet to come to light, this attack is certainly an eye-opener for all those who think that they have done enough to secure their data.
It’s therefore time to do a reality check and adopt a comprehensive security solution like SecureGRC to curb threats and vulnerabilities, and prevent security attacks of such nature.