South Carolina shocked taxpayers Oct. 26 when it said 3.6 million returns dating back to 1998 had been hacked. All of the social security numbers and about 16,000 credit and debit card numbers on the returns were unencrypted, which means there was little stopping the overseas hackers from using the data. But what made this more than just another large-scale data breach was Gov. Nikki Haley's explanation for leaving such sensitive information in plain text. In her administration's view, the state was following the "industry standard."
Which standard made it OK not to encrypt data that, left in the hands of criminals can cause misery to victims, is not clear. There are lots of standards requiring data encryption in the financial, health care and retail industries, but none that comes to mind saying it's OK to leave social security and debit and credit card numbers in a digital format anyone can read.
"I find it, let’s say, odd," Brent Huston, chief executive of information security company MicroSolved, said of the governor's statement. "I don't believe that the industry standard is that most social security numbers are not encrypted. For years, we as the security industry have been saying that we need to take measures to encrypt and adequately protect all forms of personally identifiable information."
State officials have not said how the foreign hackers got into the Revenue Department's database. The State newspaper reported that the criminals used state-approved credentials to enter the computer system in August and September. The Secret Service, which is leading the investigation, discovered the breach and notified state officials Oct. 10. Mark Keel, chief of the South Carolina Law Enforcement Division, said the break-in was kept secret from the public until Oct. 26 at the request of investigators.
On Oct. 29, Haley told a news conference that "the industry standard is that most social security numbers are not encrypted.
"A lot of banks don't encrypt. A lot of those agencies that you think might encrypt social security numbers actually don't, because it's very complicated, it's cumbersome and there's a lot of numbers involved with it," she said.
Costs Vs. Security
The implication that the cost and complexity of encryption prevented it from being used puzzled Scott Crawford, research director for Enterprise Management Associates, a tech industry analyst firm.
"What seems more likely in many cases is that organizations simply don't want to take on the cost and/or complexity -- real or perceived -- of deploying data security measures such as encryption," Crawford said. " In some cases, organizations may conclude that the risk of a breach is not worth the cost."
Among organizations that gamble with risk to save money, South Carolina is a loser. The state has already set aside $12 million to pay credit-monitoring firm Experian to handle any problems for victims of credit card or identity fraud.
The state is also facing a possible class-action lawsuit. Former state senator John Hawkins is hoping the courts will grant his suit class-action status in order to represent victims. Hawkins claims the state failed miserably at protecting taxpayers, which state officials deny.
"I'm very confident that we have done a lot to protect the taxpayers of this state," Haley says.
How Safe Is My Data?
Some security experts are sympathetic to South Carolina officials and the mess they are in.
If the crooks had stolen a state employee's logon and password, then encryption would not have mattered, since the credentials would have given them access anyway.
"It's difficult for me to say anything bad against the state, because they are the victim in this case," said Jeremiah Grossman, a well-known Web security expert and founder of consulting firm WhiteHat Security.
Encrypted data constantly has to be descrambled and scrambled again as it moves across networks from one application to another. This requires constant management of the digital keys that machines use to lock and unlock data.
"In small implementations, pulling this off is fairly easy, but on large scales, it gets more and more difficult," Himanshu Dwivedi, a security expert at consulting firm iSEC Partners, said. "Furthermore, systems that were built 10 to 15 years ago don't have the best support/architecture for this either."
In South Carolina, the more important issues may become how the hackers got into the system in the first place, and why didn't state information technology workers discover the hack before the Secret Service?
While those answers are sure to be interesting, they won't answer the question most important to everyone living in a digital world. How can we be sure our data is safe?