Majority Of South Carolinians Social Security Numbers Exposed In Hack

  /     /     /  
Publicated : 22/11/2024   Category : security


Majority Of South Carolinians Social Security Numbers Exposed In Hack


State database infiltrated and 3.6 million citizens SSNs unencrypted and at risk



Its deja vu all over again: yet another database full of personal information has been hacked and this time, more than three quarters of the residents of South Carolina were the victims.
South Carolina state officials announced Friday evening that the social security numbers of some 3.6 million state residents and 387,000 credit and debit card numbers were exposed in a data breach. The SSNs were stored unencrypted, and while most of the credit cards were encrypted, some 16,000 card numbers were not.
The states IT department on October 10 alerted the South Carolina Department of Revenue (DOR) that there had been a possible hack that involved taxpayer information. The DOR contacted law enforcement and the governors office, and then hired on Mandiant to handle the forensics investigation of the hack, secure it, and install new equipment and software, according to state officials.
A spokesperson for Mandiant said the company was unable to comment on the case.
According to the states timeline, the forensics investigators on October 16 discovered two break-in attempts that occurred in early September, and then found yet another one had been tried in late August. It was in mid-September that the attacker or attackers were able to break in two more times, and then steal data. The state closed the vulnerability that the attacker used to infiltrate the system on October 20.
Although state officials referred to the hack as a database breach, they didnt specify just what flaw was exposed. Security experts say it was most likely a SQL injection or other vulnerability in the Web-based application that ultimately led to the data breach.
Chris Eng, vice president of research for Veracode, says it sounds like a SQL injection attack against a Web application. Thats the simplest way in, he says.
SQL injection is the most common flaw, notes Scott Parcel, CTO at Cenzic. Web application vulnerabilities have been a constant threat since the earliest days of the Web, yet as the massive breach in South Carolina demonstrates, securing against attacks remains on ongoing challenge for most organizations, Parcel says.. In the thousands of Web applications we test daily, we see the vast majority are vulnerable to SQL injections.
And the state appears to have overlooked encrypting South Carolina residents SSNs. It seems they were really behind on encryption ... They are in a pretty bad place with this attack, Veracodes Eng says.
South Carolina government Nikki Haley called the attack unprecedented and said it was a different situation than an April data breach that exposed 230,000 South Carolina residents Medicare and Medicaid records. This is totally different, Haley
said in a Reuters report
. This is an international attack that did not come from the inside.
Haley noted that the attack was more sophisticated. This wasnt an issue where anyone in state government could have done something to avoid it, Haley said. This is a situation where a sophisticated, intelligent individual got into a database and is unbelievably creative in how he did it, and now were having to deal with it.
According to
local television reports
, Haley would not disclose the geographic location of the attacker in order to protect the investigation. I want this person slammed against the wall, she said, referring to the attacker as an international hacker. I want that man just brutalized, Haley said.
Residents will receive one year of free credit monitoring and identity theft protection. Officials say any resident who has filed a South Carolina tax return since 1998 should check if their information was exposed. That information can be found via protectmyid.com/scdor or by calling 1-866-578-5422.
From the first moment we learned of this, our top priority has been to protect the taxpayers and the citizens of South Carolina, and every action weve taken has been consistent with that priority, said James Etter, director of South Carolinas DOR. We have an obligation to protect the personal information entrusted to us, and we are redoubling our efforts to meet that obligation.
Have a comment on this story? Please click Add Your Comment below. If youd like to contact
Dark Readings
editors directly,
send us a message
.

Last News

▸ Debunking Machine Learning in Security. ◂
Discovered: 23/12/2024
Category: security

▸ Researchers create BlackForest to gather, link threat data. ◂
Discovered: 23/12/2024
Category: security

▸ Travel agency fined £150,000 for breaking Data Protection Act. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Majority Of South Carolinians Social Security Numbers Exposed In Hack