Massive Data Breach Hits South Carolina State Tax System
The latest breach shows that state and local governments as well as private corporations need to better lock down their data and perform regular security assessments, security experts say.The theft of approximately 3.6 million Social Security numbers and information on 387,000 credit and debit card accounts is yet another reminder that all IT operations should lock down their sensitive data by segmenting their networks, using better access controls, and regularly performing vulnerability assessments, security experts said. On Oct. 26, the South Carolina Department of Revenue announced that attackers had breached its systems in September, following two previous attacks in August. The attacks exploited an unspecified vulnerability in the system, which the state agency closed on Oct. 20. The online thieves who breached its network took a large amount of sensitive information on any taxpayers that had filed tax returns since 1998. "The number of records breached requires an unprecedented, large-scale response by the Department of Revenue, the State of South Carolina and all our citizens," S.C. Governor Nikki Haley said in the statement. "We are taking immediate steps to protect the taxpayers of South Carolina, including providing one year of credit monitoring and identity protection to those affected." The massive breach shows that state and local governments need to better lock down their data, as millions of sensitive records have been taken from government systems this year. In April, a hacker used a weak password to break into a server managed by the Utah Department of Technology Services and steal Social Security numbers and medical information on 780,000 people. In 2011, systems at Massachusetts' Department of Unemployment Assistance and Department of Career Services were infected with a malicious program that may have taken sensitive data on 210,000 job seekers.
"If you think about it, a lot of our information is held by state and local governments," said Anup Ghosh, CEO of security firm Invincea. "Traditionally, they have lagged, but if you look at the data that they have, they really can't afford to be behind."