The Atlanta Journal-Constitution
Hacker taps ‘crown jewel’ in S. Carolina
Cyberattack on tax agency sees key information stolen.
The theft of tax information from a South Carolina computer system appears to have been the largest cyberattack ever on a state government and has put other states on high alert, computer security experts say.
The state announced late last month that an international hacker had stolen 3.6 million Social Security numbers and 387,000 credit and debit card numbers. Now tax departments across the country are inspecting their own security systems.
Since 2005, at least 11 state tax agencies have faced security breaches, according to the Privacy Rights Clearinghouse, a consumer rights group. But most were caused by internal accidents, not attacks, and none were on this scale.
“As a cyberattack, this appears to be in a league of its own,” said Beth Givens, the group’s director.
The hacking has raised questions about whether South Carolina was unprotected or simply unlucky. Most of the stolen credit cards were encrypted but the Social Security numbers were not.
In a lawsuit filed earlier this month, a former state senator, John Hawkins, said the state had failed to protect taxpayers and had not reported the attack promptly. The tax agency detected the attack Oct. 10 and, after notifying federal authorities, alerted the public Oct. 26.
“Obviously these hackers picked South Carolina because it was vulnerable,” Hawkins said. “I equate it to a burglar going into a neighborhood. He’s going to break into the house with no alarms and the door open.”
But South Carolina is hardly the first state to experience a large-scale security breach. In Texas last year, Social Security records for 3.5 million people were inadvertently disclosed to the public on a computer server.
In Georgia in 2007, a computer disk containing personal information on 2.9 million people disappeared. At the federal Veterans Affairs Department in 2006, an employee lost a laptop and an external hard drive containing the Social Security records of 26.5 million active-duty troops and veterans.
Gov. Nikki Haley said South Carolina had a state-of-the-art security system but that the hacker nevertheless found a way around it. Her office said Friday that it was encrypting all tax files to reduce the harm if any were stolen and that the process would be completed within 90 days. The state is paying up to $12 million to provide a free year of credit moni- toring and identity theft prevention to anyone affected.
Within state governments, tax agencies face the highest risk for hacking, said Larry Ponemon, the founder of a secu- rity research firm, the Ponemon Institute. If stolen, their data can be used for tax fraud, credit card fraud and identity theft.
“This is the crown jewel for a cyberattacker: having the Social Security numbers, personal information and credit card for the same person,” he said.
After the attack, state tax agencies said they were monitoring their security particularly closely.
Michael Hicks, the director of the Maryland Cybersecurity Center at the University of Maryland, said states needed a clearer understand- ing of the attack in South Carolina.
“The only way states can raise the level of vigilance,” Hicks said, “is if they really get to the bottom of what really happened in this attack.”