Specifically, a state Department of Revenue employee likely "unwittingly executed malware, and became compromised" after clicking on an embedded link in a salacious email, allowing an attacker to harvest the employee's username and password. So said a state-commissioned analysis from security firm Mandiant, released last week.
Two weeks after the initial malware infection, "the attacker logged into the remote access service (Citrix) using legitimate Department of Revenue user credentials," according to the report. "The attacker used the Citrix portal to log into the user's workstation and then leveraged the user's access rights to access other Department of Revenue systems and databases with the user's credentials."
Ultimately, the attacker stole 3.3 million unencrypted bank account numbers. Given the recent spike in fraudulent wire-transfer attacks, that information promises to be a goldmine. Equally worrying for consumers is the theft of copies of 3.8 million tax returns, containing social security numbers for 1.9 million children and other dependents.
[ S.C. isn't alone in failing to protect government data. See Stolen NASA Laptop Had Unencrypted Employee Data. ]
Who's to blame for the data breach? South Carolina state officials have pointed the finger at Russian attackers, while also criticizing the Internal Revenue Service for not having required the state to encrypt social security numbers. But based on a reading of Mandiant's report, state officials are perhaps most to blame. On that note, last week Gov. Nikki Haley said at a news conference that South Carolina Department of Revenue director Jim Etter would resign, effective Dec. 31. Etter had reportedly declined the offer of free breach-detection services from the state's IT department.
From a security standpoint, failing to watch for intrusions was an amateur error, and -- no surprise -- the state failed to catch the recent intrusion. Likewise, the state failed to spot the follow-up compromise of 44 different systems, the installation of backdoor software, multiple instances of password hashes being dumped, the running of Windows batch scripts, or the attacker executing numerous arbitrary commands against databases.
As a result, a few weeks after the first successful malware infection, the attacker was still using the stolen credentials to conduct reconnaissance on 21 different state servers, although he or she hadn't yet been able to access sensitive data. But with more work, by Sept. 12, 2012, the attacker had successfully located and begun copying 23 database backup files, containing 74.7 GB of data, to another directory. Soon, the attacker compressed the data into 15 zip files, transferred them to another server, sent the data to an external system -- outside the state's control -- and deleted the zip files to help hide the data breach, according to Mandiant's report.
The breach remained undiscovered until about a month later, on Oct. 10, when the Secret Service informed state officials that information on three residents appeared to have been stolen. Two days later, the state hired Mandiant to help find out what happened.
The bill for the data breach now exceeds $14 million, reported the Associated Press. Related costs include $500,000 for Mandiant's efforts, $12 million for credit monitoring services from Experian, $800,000 for improved information security capabilities, $100,000 for outside legal help, $150,000 for a related public relations campaign as well as $740,000 that will likely be spent to notify the estimated 1.3 million out-of-state taxpayers who were affected by the breach.