Home Massive South Carolina Data Breach Shows Your Data Is Always At Risk

Massive South Carolina Data Breach Shows Your Data Is Always At Risk

South Carolina shocked taxpayers Oct. 26 when it said 3.6 million returns dating back to 1998 had been hacked. All of the social security numbers and about 16,000 credit and debit card numbers on the returns were unencrypted, which means there was little stopping the overseas hackers from using the data. But what made this more than just another large-scale data breach was Gov. Nikki Haley’s explanation for leaving such sensitive information in plain text. In her administration’s view, the state was following the “industry standard.”

Which Standard?

Which standard made it OK not to encrypt data that, left in the hands of criminals can cause misery to victims, is not clear. There are lots of standards requiring data encryption in the financial, health care and retail industries, but none that comes to mind saying it’s OK to leave social security and debit and credit card numbers in a digital format anyone can read.

“I find it, let’s say, odd,” Brent Huston, chief executive of information security company MicroSolved, said of the governor’s statement. “I don’t believe that the industry standard is that most social security numbers are not encrypted. For years, we as the security industry have been saying that we need to take measures to encrypt and adequately protect all forms of personally identifiable information.”

State officials have not said how the foreign hackers got into the Revenue Department’s database. The State newspaper reported that the criminals used state-approved credentials to enter the computer system in August and September. The Secret Service, which is leading the investigation, discovered the breach and notified state officials Oct. 10. Mark Keel, chief of the South Carolina Law Enforcement Division, said the break-in was kept secret from the public until Oct. 26 at the request of investigators.

On Oct. 29, Haley told a news conference that “the industry standard is that most social security numbers are not encrypted.

“A lot of banks don’t encrypt. A lot of those agencies that you think might encrypt social security numbers actually don’t, because it’s very complicated, it’s cumbersome and there’s a lot of numbers involved with it,” she said.

Costs Vs. Security

The implication that the cost and complexity of encryption prevented it from being used puzzled Scott Crawford, research director for Enterprise Management Associates, a tech industry analyst firm.

“What seems more likely in many cases is that organizations simply don’t want to take on the cost and/or complexity — real or perceived — of deploying data security measures such as encryption,” Crawford said. ” In some cases, organizations may conclude that the risk of a breach is not worth the cost.”

Among organizations that gamble with risk to save money, South Carolina is a loser. The state has already set aside $12 million to pay credit-monitoring firm Experian to handle any problems for victims of credit card or identity fraud.

The state is also facing a possible class-action lawsuit. Former state senator John Hawkins is hoping the courts will grant his suit class-action status in order to represent victims. Hawkins claims the state failed miserably at protecting taxpayers, which state officials deny.

“I’m very confident that we have done a lot to protect the taxpayers of this state,” Haley says.

How Safe Is My Data?

Some security experts are sympathetic to South Carolina officials and the mess they are in.

If the crooks had stolen a state employee’s logon and password, then encryption would not have mattered, since the credentials would have given them access anyway.

“It’s difficult for me to say anything bad against the state, because they are the victim in this case,” said Jeremiah Grossman, a well-known Web security expert and founder of consulting firm WhiteHat Security.

Encrypted data constantly has to be descrambled and scrambled again as it moves across networks from one application to another. This requires constant management of the digital keys that machines use to lock and unlock data.

“In small implementations, pulling this off is fairly easy, but on large scales, it gets more and more difficult,” Himanshu Dwivedi, a security expert at consulting firm iSEC Partners, said. “Furthermore, systems that were built 10 to 15 years ago don’t have the best support/architecture for this either.”

In South Carolina, the more important issues may become how the hackers got into the system in the first place, and why didn’t state information technology workers discover the hack before the Secret Service?

While those answers are sure to be interesting, they won’t answer the question most important to everyone living in a digital world. How can we be sure our data is safe?

About ReadWrite’s Editorial Process

The ReadWrite Editorial policy involves closely monitoring the tech industry for major developments, new product launches, AI breakthroughs, video game releases and other newsworthy events. Editors assign relevant stories to staff writers or freelance contributors with expertise in each particular topic area. Before publication, articles go through a rigorous round of editing for accuracy, clarity, and to ensure adherence to ReadWrite's style guidelines.

Get the biggest tech headlines of the day delivered to your inbox

    By signing up, you agree to our Terms and Privacy Policy. Unsubscribe anytime.

    Tech News

    Explore the latest in tech with our Tech News. We cut through the noise for concise, relevant updates, keeping you informed about the rapidly evolving tech landscape with curated content that separates signal from noise.

    In-Depth Tech Stories

    Explore tech impact in In-Depth Stories. Narrative data journalism offers comprehensive analyses, revealing stories behind data. Understand industry trends for a deeper perspective on tech's intricate relationships with society.

    Expert Reviews

    Empower decisions with Expert Reviews, merging industry expertise and insightful analysis. Delve into tech intricacies, get the best deals, and stay ahead with our trustworthy guide to navigating the ever-changing tech market.