South Carolina Governor Nikki Haley blamed an outdated Internal Revenue Service standard (see below) as a source of a massive data breach that exposed the SSNs of 3.8 million South Carolina taxpayers plus credit card and bank account data. The identity information, nearly 75 GB worth, was stolen from computers that belonged to the SC Department of Revenue.
The breach reveals some shocking realizations for the people of South Carolina, and the rest of us:
- South Carolina is compliant with IRS rules, but the IRS DOES NOT REQUIRE THAT SSNs BE ENCRYPTED. In other words, the keys to your financial buying power (your credit profile via SSN) is protected in no material way by the IRS, and therefore by your state government.
- Technology isn’t the only source of blame. As is the case in nearly every data breach I’m brought in to help clean up, a HUMAN DECISION is at the heart of the breach.
A report issued by Mandiant (a security company) determined that an employee’s computer became infected with malware after the user opened a phishing email. The hacker captured the employee’s username and password, accessed the agency’s Citrix remote access service and installed malicious tools that captured user account passwords on six servers and gave them access to at least 36 other systems.
So what’s the point?
- The IRS needs to update it’s non-encryption policy;
- Individual states need to take responsibility too and enact a higher standard of SSN protection than is required by the federal government
- All governmental and corporate organizations need to train their employees on the 15 YEAR OLD PHENOMENON of PHISHING, not to mention ten forms of modern theft detection. If your employees are still falling for phishing, you are way behind the data protection curve.
- Businesses can’t ignore this problem, as data belonging to 699,900 businesses was compromised
Now it’s time for South Carolina (and the IRS) to clean up the mess. Unfortunately, a portion of the 3.8 million South Carolina taxpayers are the real ones left with the mess.
John Sileo is the award-winning author of Privacy Means Profit (which provides tools for identity theft prevention and recovery) and keynote speaker on data privacy and reputation protection. His clients include the Department of Defense, Pfizer, the FDIC, and Homeland Security. Sample his Keynote Presentation or watch him on Anderson Cooper, 60 Minutes or Fox Business.