[BreachExchange] Four years later, case still open in DOR data breach

Audrey McNeil audrey at riskbasedsecurity.com
Mon Aug 15 18:49:44 EDT 2016


http://www.greenvilleonline.com/story/news/crime/2016/08/
12/four-years-later-case-still-open-dor-data-breach/88453548/

Four years after South Carolina’s tax agency suffered the worst data breach
in state history, 5 million attempts are made each week to gain
unauthorized access to state government computers, which hold vast amounts
of personal data belonging to taxpayers, employees and members of the
public.

The attempts come from around the world, state officials say, and include
roughly 350 attempts per week to deliver advanced or never seen before
malicious software onto agency computers.

But this is not the same cyber security environment that hackers found in
2012, when phishing emails to state Department of Revenue employees
triggered a massive breach that exposed personal information for almost 4
million taxpayers and 700,000 businesses.

“It was a wake-up call for both government and private industry,” DOR
Director Rick Reames told The Greenville News. “Since the data breach, the
department has come light years in terms of cyber security. What we have
done is to work hard to instill a culture that security is non-negotiable.”

Chaney Adams, a spokeswoman for Gov. Nikki Haley, said the governor has led
an unprecedented effort since the breach to protect South Carolinians
against future attacks.

“In the wake of the Revenue Department breach, Gov. Haley led an
unprecedented, coordinated effort across state government ─ with the help
of law enforcement, agency directors, IT experts and members of the General
Assembly ─ to strengthen information security and put long term measures in
place that protect the people of South Carolina from criminal hackers going
forward.”

Cyber security experts at the time noted a host of lax security features at
the tax agency that aided the hackers in their crime, including a lack of
encryption, inadequate system detection safeguards and single-factor
authentication for data access.

But what allowed the hackers inside the door, so to speak, was a phishing
email.  On Aug. 13, 2012, investigators believe, one employee clicked on an
embedded link, triggering malware which captured the user’s password and
effectively gave the attackers a key to DOR's data vault.

The hackers spent weeks exploring DOR's computers by remote access before
finally locating and carrying off their prize ─ databases loaded with
millions of taxpayer’s files and personal information.

No one at the agency noticed the theft until members of the U.S. Secret
Service notified department officials a month later of possible stolen
personal information from tax data.

A cyber-security blogger likened what happened to bank robbers who “blast
their way into the vault room, and then drag the vault around the bank for
two days before running away with the plunder without anyone hearing or
seeing them.”

“In the physical world, it can only happen if all the security personal
were deaf and blind," wrote Tal Be'ery for Security Week.

Four years later, the state has made a myriad of cyber security
improvements but the culprits of the DOR breach have not been captured.

“It is still a very active and open investigation,” Thom Berry, a spokesman
for the State Law Enforcement Division, told The News. “We recently
discussed the matter with our federal partners and they assured us they too
have a very open and active investigation on the matter.”

A spokesman for the Secret Service could not be reached for comment.
Officials have largely been mum about the probe’s progress since the
initial news conferences.

Reames, who was hired nearly two years after the breach, said cyber
security today at his agency bears no resemblance to the protections around
before the breach.

All employees, for instance, now receive continuing training on cyber
security

“What all of the cyber-security experts tell you is that approximately 80
percent of the threats can be eliminated by vigilant training,” he said.

Before any employee has access to a DOR computer system, Reames said, they
have to go through nationally-accredited security training, including
testing on phishing, privacy issues and data classification. Existing
employees have to be re-certified each year. There also are mock security
drills, penetration testing and phishing email tests.

The agency also hired a chief information security officer who reports
directly to the agency’s director.  An internal auditor also now reports to
the director.

New technologies have been installed to prevent threats or to mitigate
them, including monitoring and alert products, Reames said.

“We’re significantly stronger than we were in 2012,” he said. “But this is
a constantly changing game. The criminals are always changing their tactics
and we have to. It would be foolish to predict that there would not be
another event. I will tell you that we are doing everything we can to
prevent it.”

Haley announced the breach on Oct. 26, 2012, about 10 days after Secret
Service officials tipped DOR.  Investigators said they wanted the time to
make progress on their investigation before the world knew what happened.

Though she initially described the attack as sophisticated and one that
couldn't be prevented, Haley eventually learned of inadequate security not
only at DOR but at other agencies. DOR's director at the time resigned.

She took a series of steps to better protect agency computers while at the
same time protecting consumers whose personal data was stolen.

Officials entered into a $12 million credit monitoring contract to help
taxpayers affected by the breach.

Haley ordered her cabinet agencies to use the state’s monitoring service,
which was being upgraded to provide around-the-clock protection, and asked
the state’s inspector general, Patrick Maley, to look at state government
cyber security as state lawmakers held hearings and explored what went
wrong and improvements that needed to be made.

Officials have since strengthened data security at agencies through a
series of improvements.

Those have included the establishment of an office of state cyber security,
which has provided advanced cyber security training for state employees,
developed new information security and data privacy policies and overseen a
series of technology improvements.

The improvements have included implementing stronger network monitoring
capabilities for all cabinet agencies such as 24-hour a day monitoring,
intervention, and interruption of unusual events and viruses. They also
have included installation of new firewall technology to protect agency
computers from threats outside and within the network.

The technology also detects the approximately 100,000 attempts each week to
infect agency computers with malicious software, according to the state’s
administrative agency, in which the information security office resides.

Officials with the state Department of Administration say there are about 5
million attempts each week at unauthorized access onto state computers,
though not all of those are considered high-risk,

One of the issues with state agency cyber security has been that because
state government is decentralized, many agencies have operated their
computer systems as “islands,” with their own procedures, technology and
policies.  Haley’s executive orders covered only her cabinet agencies.

In January, Haley issued an executive order for her cabinet agencies to use
shared services to address information security risks. Lawmakers, feeling
the issue was too important to be contained to those agencies, applied her
order to all of state government.

To date, Reames said, there have been no other breaches and no verified
cases in which someone's personal identity has been stolen as the result of
the 2012 hacking.

Some Democratic lawmakers suggested in past years that is because officials
may have paid a ransom to the hackers. Authorities have never publicly
commented on those rumors.

Reames offered other explanations why no identity thefts have been traced
to the data breach.

“Law enforcement has said they have not identified a single case related to
the data breach,” he said. “That may be because the state did a great job
of mitigating the results. But unfortunately there have been so many data
breaches since the DOR data breach that the public is to some extent numb
to this because they have had their information exposed many times by many
different organizations.”
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160815/978bb1e8/attachment.html>


More information about the BreachExchange mailing list