South Carolina state officials announced Friday evening that the social security numbers of some 3.6 million state residents and 387,000 credit and debit card numbers were exposed in a data breach. The SSNs were stored unencrypted, and while most of the credit cards were encrypted, some 16,000 card numbers were not.
The state's IT department on October 10 alerted the South Carolina Department of Revenue (DOR) that there had been a possible hack that involved taxpayer information. The DOR contacted law enforcement and the governor's office, and then hired on Mandiant to handle the forensics investigation of the hack, secure it, and install new equipment and software, according to state officials.
A spokesperson for Mandiant said the company was unable to comment on the case.
According to the state's timeline, the forensics investigators on October 16 discovered two break-in attempts that occurred in early September, and then found yet another one had been tried in late August. It was in mid-September that the attacker or attackers were able to break in two more times, and then steal data. The state closed the vulnerability that the attacker used to infiltrate the system on October 20.
Although state officials referred to the hack as a "database" breach, they didn't specify just what flaw was exposed. Security experts say it was most likely a SQL injection or other vulnerability in the Web-based application that ultimately led to the data breach.
Chris Eng, vice president of research for Veracode, says it sounds like a SQL injection attack against a Web application. "That's the simplest way in," he says.
SQL injection is the most common flaw, notes Scott Parcel, CTO at Cenzic. "Web application vulnerabilities have been a constant threat since the earliest days of the Web, yet as the massive breach in South Carolina demonstrates, securing against attacks remains on ongoing challenge for most organizations," Parcel says.. "In the thousands of Web applications we test daily, we see the vast majority are vulnerable to SQL injections."
And the state appears to have overlooked encrypting South Carolina residents' SSNs. "It seems they were really behind on encryption ... They are in a pretty bad place" with this attack, Veracode's Eng says.
South Carolina government Nikki Haley called the attack "unprecedented" and said it was a different situation than an April data breach that exposed 230,000 South Carolina residents' Medicare and Medicaid records. "This is totally different," Haley said in a Reuters report. "This is an international attack that did not come from the inside."
Haley noted that the attack was more sophisticated. "This wasn't an issue where anyone in state government could have done something to avoid it," Haley said. "This is a situation where a sophisticated, intelligent individual got into a database and is unbelievably creative in how he did it, and now we're having to deal with it."
According to local television reports, Haley would not disclose the geographic location of the attacker in order to protect the investigation. "I want this person slammed against the wall," she said, referring to the attacker as "an international hacker." "I want that man just brutalized," Haley said.
Residents will receive one year of free credit monitoring and identity theft protection. Officials say any resident who has filed a South Carolina tax return since 1998 should check if their information was exposed. That information can be found via protectmyid.com/scdor or by calling 1-866-578-5422.
"From the first moment we learned of this, our top priority has been to protect the taxpayers and the citizens of South Carolina, and every action we've taken has been consistent with that priority," said James Etter, director of South Carolina's DOR. "We have an obligation to protect the personal information entrusted to us, and we are redoubling our efforts to meet that obligation."
Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.