Unbelievably Creative (2012)


In a previous post we noted that someone cracked the South Carolina Department of Revenue computer system and stole 3.6 million names and Social Security numbers, along with thousands of unencrypted matching credit card numbers. Questioned as to why South Carolina would store all that information without the basic protection of data encryption, South Carolina Gov. Nikki Haley said:

“This is a situation where a sophisticated, intelligent criminal got into a database and it’s unbelievably creative how they did it. This was a sophisticated hacker who creatively looked at the system. This was no simple breach.”

I wrote:

Really? The investigation is under way and the authorities have not yet disclosed the modi operandi of the hacker(s). But my bet is that the hacker simply pwned a state employee into giving up his or her legitimate user ID and password to the Department of Revenue database. We’ll see.

Mandiant, the information security company hired to investigate the breach, issued its report today. It concluded:

1. August 13, 2012: A malicious (phishing) email was sent to multiple Department of Revenue employees. At least one Department of Revenue user clicked on the embedded link,  unwittingly executed malware, and became compromised. The malware likely stole the user’s username and password.

In other words, it was a simple breach. Lessons:

  • Any entity — government, commercial, private — that stores highly confidential information should encrypt the data. South Carolina did not.
  • Primates are the weakest link in any data security system. Everyone who has access to sensitive information must be trained in fundamental data security practices. Example: Do not write down your password on a sticky note and paste it to your computer. Do not click on the embedded links or open attachments in emails. Use a different password for every online site you visit. Et cetera.
  • Consumers must demand better online security practices from any company or agency that wants to store their personal data. Companies and government agencies do not like to spend the money necessary to protect customer data, and the customers pay the price.

Possessing your name, address, Social Security number, credit card number, and commonly used password — or just a few of these pieces of information — a cybercrook can steal far more from you than a burglar could get by breaking into your house. Your personal information is valuable and vulnerable. With profound apologies to Shakespeare, let’s paraphrase Iago in Othello:

Who steals my purse steals trash; ’tis something, nothing;
‘Twas mine, ’tis his, and has been slave to thousands;
But he that filches from me my personal data
Robs me of that which enriches him,
And makes me poor indeed.