Attacks/Breaches
10/29/2012
07:46 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Majority Of South Carolinians' Social Security Numbers Exposed In Hack

State database infiltrated and 3.6 million citizens' SSNs unencrypted and at risk

It's deja vu all over again: yet another database full of personal information has been hacked and this time, more than three quarters of the residents of South Carolina were the victims.

South Carolina state officials announced Friday evening that the social security numbers of some 3.6 million state residents and 387,000 credit and debit card numbers were exposed in a data breach. The SSNs were stored unencrypted, and while most of the credit cards were encrypted, some 16,000 card numbers were not.

The state's IT department on October 10 alerted the South Carolina Department of Revenue (DOR) that there had been a possible hack that involved taxpayer information. The DOR contacted law enforcement and the governor's office, and then hired on Mandiant to handle the forensics investigation of the hack, secure it, and install new equipment and software, according to state officials.

A spokesperson for Mandiant said the company was unable to comment on the case.

According to the state's timeline, the forensics investigators on October 16 discovered two break-in attempts that occurred in early September, and then found yet another one had been tried in late August. It was in mid-September that the attacker or attackers were able to break in two more times, and then steal data. The state closed the vulnerability that the attacker used to infiltrate the system on October 20.

Although state officials referred to the hack as a "database" breach, they didn't specify just what flaw was exposed. Security experts say it was most likely a SQL injection or other vulnerability in the Web-based application that ultimately led to the data breach.

Chris Eng, vice president of research for Veracode, says it sounds like a SQL injection attack against a Web application. "That's the simplest way in," he says.

SQL injection is the most common flaw, notes Scott Parcel, CTO at Cenzic. "Web application vulnerabilities have been a constant threat since the earliest days of the Web, yet as the massive breach in South Carolina demonstrates, securing against attacks remains on ongoing challenge for most organizations," Parcel says.. "In the thousands of Web applications we test daily, we see the vast majority are vulnerable to SQL injections."

And the state appears to have overlooked encrypting South Carolina residents' SSNs. "It seems they were really behind on encryption ... They are in a pretty bad place" with this attack, Veracode's Eng says.

South Carolina government Nikki Haley called the attack "unprecedented" and said it was a different situation than an April data breach that exposed 230,000 South Carolina residents' Medicare and Medicaid records. "This is totally different," Haley said in a Reuters report. "This is an international attack that did not come from the inside."

Haley noted that the attack was more sophisticated. "This wasn't an issue where anyone in state government could have done something to avoid it," Haley said. "This is a situation where a sophisticated, intelligent individual got into a database and is unbelievably creative in how he did it, and now we're having to deal with it."

According to local television reports, Haley would not disclose the geographic location of the attacker in order to protect the investigation. "I want this person slammed against the wall," she said, referring to the attacker as "an international hacker." "I want that man just brutalized," Haley said.

Residents will receive one year of free credit monitoring and identity theft protection. Officials say any resident who has filed a South Carolina tax return since 1998 should check if their information was exposed. That information can be found via protectmyid.com/scdor or by calling 1-866-578-5422.

"From the first moment we learned of this, our top priority has been to protect the taxpayers and the citizens of South Carolina, and every action we've taken has been consistent with that priority," said James Etter, director of South Carolina's DOR. "We have an obligation to protect the personal information entrusted to us, and we are redoubling our efforts to meet that obligation."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message. Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
PJS880
50%
50%
PJS880,
User Rank: Ninja
11/6/2012 | 6:30:12 AM
re: Majority Of South Carolinians' Social Security Numbers Exposed In Hack





If
you are going to keep my personal information such as my social
security number in file because it is required please at the very
least encrypt the data. All these current hacks where individuals
personal information is put at risk due to a breech, I would think
making it harder on the hacker once they get the data to read it
would be helpful. These sort of attacks suck and are really a pain in
the butt to deal with if your information was compromised. I hate to
say it but these attacks are what is going to push the security to
the next level.

Paul
Sprague

InformationWeek
Contributor


Cryptodd
50%
50%
Cryptodd,
User Rank: Moderator
10/31/2012 | 11:39:17 PM
re: Majority Of South Carolinians' Social Security Numbers Exposed In Hack
While SQL injection was
a probable method used by the attacker to break into the database, it is
curious that Social Security numbers for 3.6 million residents and credit card
information for 16,000 were in the clear. Under most state data breach laws
including South CarolinaG«÷s, encryption provides businesses with a G«£safe harborG«•
from notification in the event of a breach and is typically deployed. That may
have saved the governor a big public headache. Too bad the state cut corners
and didnG«÷t follow common data security best practices for protecting its
citizenG«÷s information.
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the ďsecurity connectedĒ approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Cartoon
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-7407
Published: 2014-10-22
Cross-site request forgery (CSRF) vulnerability in the MRBS module for Drupal allows remote attackers to hijack the authentication of unspecified victims via unknown vectors.

CVE-2014-3675
Published: 2014-10-22
Shim allows remote attackers to cause a denial of service (out-of-bounds read) via a crafted DHCPv6 packet.

CVE-2014-3676
Published: 2014-10-22
Heap-based buffer overflow in Shim allows remote attackers to execute arbitrary code via a crafted IPv6 address, related to the "tftp:// DHCPv6 boot option."

CVE-2014-3677
Published: 2014-10-22
Unspecified vulnerability in Shim might allow attackers to execute arbitrary code via a crafted MOK list, which triggers memory corruption.

CVE-2014-3828
Published: 2014-10-22
Multiple SQL injection vulnerabilities in Centreon 2.5.1 and Centreon Enterprise Server 2.2 allow remote attackers to execute arbitrary SQL commands via (1) the index_id parameter to views/graphs/common/makeXML_ListMetrics.php, (2) the sid parameter to views/graphs/GetXmlTree.php, (3) the session_id...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.