After initially deflecting responsibility, South Carolina Governor Nikki Haley has admitted that her administration could have done a better job to prevent a data breach that compromised sensitive information for four million individuals and 700,000 businesses that file state taxes.
More than 3.3 million unencrypted bank accounts were stolen, and 5,000 credit card numbers, though most of those were expired. Also, nearly two million children's Social Security numbers (listed on their parents' returns) were compromised.
For banks, the news couldn't be worse, as an investigation of the tax office's security revealed it wasn't using dual authentication for parties attempting to access tax returns, nor did it encrypt Social Security numbers — both of which are pretty standard measures used to protect financial and personal data.
And worse yet, the breach has released the kind of financial information that crooks find particularly valuable, meaning banks could face further pain from the incident in the future.
"The exposure here to the banks is of the worst kind because bank account numbers along with personal information was stolen. This is some of the priciest information available in the black market because armed with it, criminals can more easily divert customer money deposited at banks to themselves," says Avivah Litan, a vice president and security specialist for Gartner.
The hacker stole data from electronically filed tax returns, mostly from the past decade.
The U.S. Secret Service initially told the state about the breach in early October, and the state responded by hiring Mandiant, a computer security company, to locate and fix the gap. Governor Haley had initially told local press that there was nothing the state could have done to prevent the breach, but Mandiant's investigation revealed that wasn't the case. The company noted lax security in a number of areas, including the fact that the state revenue department turned down free security services from the state's IT division. In announcing Mandiant's findings this week, Haley took more responsibility for the breach, though she partly blamed IRS security guidelines.
In response, the governor will require all 16 cabinet agencies to use the state's computer monitoring service, and will use a Mandiant service that automatically shuts down computers if data is being transferred outside of protocol. Also, Jim Etter, director of the Department of Revenue, has fallen on his sword and will leave his job at the end of the year, though Haley did not directly blame Etter for the breach.
Litan says banks should lobby for stricter data protection laws around bank account numbers. "Credit and debit card numbers have a lot of protection around them thanks to the PCI standard and its enforcement. Ironically, there is not a commensurate data security standard for protection of bank account numbers, even though consumers and businesses have less protections if their bank account data is stolen than if their credit or debit card is stolen," she says.
Litan says bank account numbers need even stronger protection than credit and debit card numbers, but "the problem is no one wants to spend the money on stronger data protection and they usually don't unless they are forced to by regulators and other government entities," she says.
Al Pascual, an analyst for Javelin Strategy & Research, says the South Carolina breach increases the chances that financial fraud will affect those customers who had their information compromised. Pascual recently wrote that individuals who have received a data breach notification are almost 10 times likelier to be fraud victims than those who have not.
"In this case, the [personal identification information] lost is something that many financial institutions have yet to avoid using to authenticate consumers," Pascual told BTN in an email Tuesday night. Pascual said that for best practices, "We have and will continue to recommend that financial institutions limit the use of social security numbers to account opening only, and require strong authentication methods for future interaction with the consumer."
He said static data should be avoided in consumer authentication, and the South Carolina breach is one example of why implementations that rely on such information place both the consumer and the financial institution at risk. "The odds are very good that criminals can access, buy or guess static consumer [personal identification information]," Pascual says.