When an international hacker stole tax information from South Carolina’s department of revenue in 2012, at the time it was the largest cyber attack on a state government.
Ultimately, 75 gigabytes of data was stolen, impacting 6.4 million taxpayers, including 3.8 million adults and 1.9 million dependents, and 700,000 businesses.
Three years later, the department shared its story and breach lessons learned at the third annual Privacy XChange Forum, a conference dedicated to data security and privacy, in Scottsdale, Ariz.
“This was one of the first large-scale breaches of a government agency that shook the state and had far-reaching implications,” said Rick Reames III, director of South Carolina’s department of revenue. “Now, unfortunately, breaches, especially of government agencies, are a dime a dozen.”
Here’s a timeline of what happened in a two-month period in 2012, according to Reames:
Aug. 13 – A spear-phishing email was sent to a targeted distribution list at the DOR referencing wire instructions. An employee clicked on a link, which executed malware that stole the user’s name and password.
Aug. 27 – The attacker logged on to the department’s system using Citrix and the legitimate credentials. He leveraged those access rights to enter other systems to steal more credentials.
Sept. 1 – The attacker installed a backdoor on one of the agency’s servers and “poked around” for a week.
Sept. 13-14 – The attacker copied database files to a staging directory, compressed them using a number of zip archives, and moved what he had to a system on the Internet.
Oct. 10 – The U.S. Secret Service and state law enforcement division alerted the department, which went into immediate reaction mode, working with law enforcement, retaining a forensics expert, and working to remediate and mitigate what had happened. The results of forensics reconstruction painted a picture of exactly what happened.
“It sounds like a spy novel, but it happened in little old Columbia, South Carolina,” he said. “And it happens almost every single day all over the world.”
Oct. 19 – The department executed remediation activities to remove the access and prevent another compromise. It’s important to take time to understand where the breach came from, what information was compromised, and where the weaknesses are before cutting them off, he said.
Oct. 26 – The department notified the public of the breach through a press conference. Organizations must adhere to state regulations when notifying consumers of a breach. Direct notification by email or mail is a preferred method. Substitute notice through media or a website occurs when the number of impacted users rises to a level that makes it impractical to notify through direct communication, Reames said.
The breach had two major affects on the state. Externally, it created a public relations nightmare because media coverage heightened the public’s fear and frustration.
“It created an atmosphere of intense scrutiny,” he said. “You take this spark of public fear and frustration and the hot lights of the media and the blaze of political discord and you’ve got a raging fire on your hands.”
Internally, the department’s operations and employee morale were significantly impacted, he said. Breaches can lead to lost sales and reputational damage, but it also impacts a firm’s employees on a personal level. “Morale was dismally low, which is a disaster for productivity,” Reames said.
Other immediate changes the department has implemented:
- Offer credit monitoring. The state continues to offer credit monitoring to impacted citizens, three years after the incident.
- Change organizational culture. The department’s new motto is “security is nonnegotiable.” It has worked hard to change its culture so that security is woven into the fabric of the agency.
- Implement employee training. Within the first five minutes after employees are hired, Reames said they are hit with multiple hours of cyber security training. They have to take tests and get re-certified on an annual basis. The training applies to contractors and temporary workers.
- Restructure your organization to support security. The agency restructured its organization so that a chief information security officer would report directly to the director and not the chief information officer, which could create tension between security and operations.
- Network to share best practices. The agency joined a state security council to share information and best practices.
- Enhance security. The agency took a number of steps to enhance security. Now, emails open in a reading pane only. User access to the network and the work cell phones are limited. The agency uses whitelist websites and complex passwords, pays people to try to breach them, and has deployed new technologies.
“We’ve learned a lot from this and we have moved forward,” Reames said. “We are light years away from where we were three years ago.”