.

Data Breach Could Cost State $12 Million

More people taking advantage of monitoring service as investigation into breach continues.

At the third press conference in five days after it was announced that a data breach saw 3.6 million Social Security numbers accessed by a hacker, Gov. Nikki Haley said that progress is being made to protect the personal data of South Carolina citizens from further harm.

While efforts continue to limit the damage the breach has caused to individual taxpayers, the cost for doing so could end up costing the state as much as $12 million.

Haley said that so far 533,000 people had called the toll-free number and 287,000 had signed up for credit monitoring. Haley also said that average wait times for those calling in had fallen from 12 minutes to 10.

Go to the website protectmyid.com/scdor and enter the code SCDOR123 or call 1-866-578-5422.

The consumer credit agency Experian is charged with monitoring credit reports and will include reports from the other two major reporting agencies, TransUnion and EquiFax. Taxpayers can sign up free of charge from now through the end of January and have their credit report monitored for a year and receive fraud resolution for life.

The year-long monitoring service usually costs $49.95, but Haley said negotiations with Experian resulted in a cap for the state to pay no more than $12 million. If all those affected by the breach took advantage of the service, the cost would be upwards of $18 million.

Appearing at the press conference with Haley was SLED Chief Mark Keel and Department of Revenue Director James Etter.

Keel offered little in the way of explanation as to the reason why 16 days passed between the time the data was breached and the time the public was made aware of it. Keel said, to go public would have jeopardized the investigation and for the same reason he was limited in the amount of information he was able to provide at Tuesday’s session.

Haley reiterated that the parties responsible for the breach were “creative” and “sophisticated.” She also noted that entities such as Google, the CIA and the White House had been breached. “This is the world we live in. Everyone wants to blame someone for this, but this person responsible is a hacker overseas. There is nothing that the Department of Revenue could have done."

Mike N. October 31, 2012 at 07:17 PM
"There is nothing that the Department of Revenue could have done." She may be correct. The breach might have come in the same way the Banker computer viruses behave: an employee with access to the DOR systems clicked on a Spear Phishing email and the computer was infected. Then the hacker had full access to anything the employee's computer had access to, including being able to intercept communications. Even encrypted credit card numbers would leak if the infected computer had access to the program that decrypts the credit card numbers.
GunnyHighway November 01, 2012 at 02:54 AM
Spear phishing attacks are defendable. The first defense is User Training. But that costs money... You need to develop or buy the training programs and you need to pay your employees while they get trained. Then you need to harden your network so that the if the attack is successful, the data is contained in your network and is not allowed to be transmitted to the attacker. Encryption of the data would lessen the chances of a leak by reducing the number of computers that had access to the unencrypted data, thereby making it even more difficult to steal. Haley needs to stop making excuses and take ownership of this problem. She needs to fire the DOR CIO immediately! This was preventable and anyone who says otherwise is part of the problem!
Karen November 01, 2012 at 06:58 AM
This, in my opinion, has been a very slow and lax reaction to this crisis on the part of the SC state gov't. When this happened to a friend of mine in CA, they were given a year's membership with Lifelock, that essentially does all of the calling for you, to all of your credit cards, bank accounts and puts not only surveillance on your SocSec records, but also puts a freeze and fraud alert everything for you. It's ridiculous that the citizens of SC have the headache of doing this all ourselves.
Mike N. November 01, 2012 at 10:10 AM
>Spear phishing attacks are defendable. The first defense is User Training. The attackers are increasingly sophisticated. User Training only goes so far. They can take over the email of a coworker and send an attachment that looks just like a routine attachment the coworker sends. >Then you need to harden your network so that the if the attack is successful, the data is contained in your network and is not allowed to be transmitted to the attacker. The only way to do this is to completely disallow web browsing on the DOR access computer. Otherwise as soon as the employee logs into the web proxy - boom the hacker has control of their computer. > Encryption of the data would lessen the chances of a leak by reducing the number of computers that had access to the unencrypted data, thereby making it even more difficult to steal. With full access to the computer system - sooner or later they'll have access to the program that decrypts the credit cards. Not saying that this attack was so sophisticated, but the only 99% secure solution is a completely separate network that would require a Stuxnet-style attack to jump and collect data.
Mike N. November 01, 2012 at 10:13 AM
> year's membership with Lifelock, that essentially does all of the calling for you, to all of your credit cards, bank accounts and puts not only surveillance on your SocSec records, but also puts a freeze and fraud alert everything for you Lifelock doesn't freeze your credit - it is only a fraud alert system; you find out after someone has opened credit in your name.

Boards

More »
Got a question? Something on your mind? Talk to your community, directly.
Note Article
Just a short thought to get the word out quickly about anything in your neighborhood.
Share something with your neighbors.What's on your mind?What's on your mind?Make an announcement, speak your mind, or sell somethingPost something