Attacks/Breaches
10/29/2012
07:46 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Majority Of South Carolinians' Social Security Numbers Exposed In Hack

State database infiltrated and 3.6 million citizens' SSNs unencrypted and at risk

It's deja vu all over again: yet another database full of personal information has been hacked and this time, more than three quarters of the residents of South Carolina were the victims.

South Carolina state officials announced Friday evening that the social security numbers of some 3.6 million state residents and 387,000 credit and debit card numbers were exposed in a data breach. The SSNs were stored unencrypted, and while most of the credit cards were encrypted, some 16,000 card numbers were not.

The state's IT department on October 10 alerted the South Carolina Department of Revenue (DOR) that there had been a possible hack that involved taxpayer information. The DOR contacted law enforcement and the governor's office, and then hired on Mandiant to handle the forensics investigation of the hack, secure it, and install new equipment and software, according to state officials.

A spokesperson for Mandiant said the company was unable to comment on the case.

According to the state's timeline, the forensics investigators on October 16 discovered two break-in attempts that occurred in early September, and then found yet another one had been tried in late August. It was in mid-September that the attacker or attackers were able to break in two more times, and then steal data. The state closed the vulnerability that the attacker used to infiltrate the system on October 20.

Although state officials referred to the hack as a "database" breach, they didn't specify just what flaw was exposed. Security experts say it was most likely a SQL injection or other vulnerability in the Web-based application that ultimately led to the data breach.

Chris Eng, vice president of research for Veracode, says it sounds like a SQL injection attack against a Web application. "That's the simplest way in," he says.

SQL injection is the most common flaw, notes Scott Parcel, CTO at Cenzic. "Web application vulnerabilities have been a constant threat since the earliest days of the Web, yet as the massive breach in South Carolina demonstrates, securing against attacks remains on ongoing challenge for most organizations," Parcel says.. "In the thousands of Web applications we test daily, we see the vast majority are vulnerable to SQL injections."

And the state appears to have overlooked encrypting South Carolina residents' SSNs. "It seems they were really behind on encryption ... They are in a pretty bad place" with this attack, Veracode's Eng says.

South Carolina government Nikki Haley called the attack "unprecedented" and said it was a different situation than an April data breach that exposed 230,000 South Carolina residents' Medicare and Medicaid records. "This is totally different," Haley said in a Reuters report. "This is an international attack that did not come from the inside."

Haley noted that the attack was more sophisticated. "This wasn't an issue where anyone in state government could have done something to avoid it," Haley said. "This is a situation where a sophisticated, intelligent individual got into a database and is unbelievably creative in how he did it, and now we're having to deal with it."

According to local television reports, Haley would not disclose the geographic location of the attacker in order to protect the investigation. "I want this person slammed against the wall," she said, referring to the attacker as "an international hacker." "I want that man just brutalized," Haley said.

Residents will receive one year of free credit monitoring and identity theft protection. Officials say any resident who has filed a South Carolina tax return since 1998 should check if their information was exposed. That information can be found via protectmyid.com/scdor or by calling 1-866-578-5422.

"From the first moment we learned of this, our top priority has been to protect the taxpayers and the citizens of South Carolina, and every action we've taken has been consistent with that priority," said James Etter, director of South Carolina's DOR. "We have an obligation to protect the personal information entrusted to us, and we are redoubling our efforts to meet that obligation."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message. Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
PJS880
50%
50%
PJS880,
User Rank: Ninja
11/6/2012 | 6:30:12 AM
re: Majority Of South Carolinians' Social Security Numbers Exposed In Hack





If
you are going to keep my personal information such as my social
security number in file because it is required please at the very
least encrypt the data. All these current hacks where individuals
personal information is put at risk due to a breech, I would think
making it harder on the hacker once they get the data to read it
would be helpful. These sort of attacks suck and are really a pain in
the butt to deal with if your information was compromised. I hate to
say it but these attacks are what is going to push the security to
the next level.

Paul
Sprague

InformationWeek
Contributor


Cryptodd
50%
50%
Cryptodd,
User Rank: Moderator
10/31/2012 | 11:39:17 PM
re: Majority Of South Carolinians' Social Security Numbers Exposed In Hack
While SQL injection was
a probable method used by the attacker to break into the database, it is
curious that Social Security numbers for 3.6 million residents and credit card
information for 16,000 were in the clear. Under most state data breach laws
including South CarolinaG«÷s, encryption provides businesses with a G«£safe harborG«•
from notification in the event of a breach and is typically deployed. That may
have saved the governor a big public headache. Too bad the state cut corners
and didnG«÷t follow common data security best practices for protecting its
citizenG«÷s information.
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Tech Digest, Dec. 19, 2014
Software-defined networking can be a net plus for security. The key: Work with the network team to implement gradually, test as you go, and take the opportunity to overhaul your security strategy.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-8142
Published: 2014-12-20
Use-after-free vulnerability in the process_nested_data function in ext/standard/var_unserializer.re in PHP before 5.4.36, 5.5.x before 5.5.20, and 5.6.x before 5.6.4 allows remote attackers to execute arbitrary code via a crafted unserialize call that leverages improper handling of duplicate keys w...

CVE-2013-4440
Published: 2014-12-19
Password Generator (aka Pwgen) before 2.07 generates weak non-tty passwords, which makes it easier for context-dependent attackers to guess the password via a brute-force attack.

CVE-2013-4442
Published: 2014-12-19
Password Generator (aka Pwgen) before 2.07 uses weak pseudo generated numbers when /dev/urandom is unavailable, which makes it easier for context-dependent attackers to guess the numbers.

CVE-2013-7401
Published: 2014-12-19
The parse_request function in request.c in c-icap 0.2.x allows remote attackers to cause a denial of service (crash) via a URI without a " " or "?" character in an ICAP request, as demonstrated by use of the OPTIONS method.

CVE-2014-2026
Published: 2014-12-19
Cross-site scripting (XSS) vulnerability in the search functionality in United Planet Intrexx Professional before 5.2 Online Update 0905 and 6.x before 6.0 Online Update 10 allows remote attackers to inject arbitrary web script or HTML via the request parameter.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Join us Wednesday, Dec. 17 at 1 p.m. Eastern Time to hear what employers are really looking for in a chief information security officer -- it may not be what you think.