Forgot your password?
typodupeerror
Government Privacy United States Your Rights Online

South Carolina Department of Revenue Hacked, 3.6 Million SSNs Taken 112

Posted by Soulskill
from the boy-are-their-faces-red dept.
New submitter Escape From NY writes "3.6 million Social Security numbers and 387,000 credit and debit card numbers were stolen from the SC Department of Revenue. Most of the credit and debit card numbers were encrypted — all but about 16,000. There were several different attacks, all of which originated outside the country. The first they're aware of happened on August 27, and four more happened in September. Officials first learned of the breach on October 10, and the security holes were closed on October 20. This is still a developing story, but anyone who filed a SC state tax return since 1998 my be at risk. Governor Nikki Haley today signed an executive order (PDF) to beef up the state's IT security."
This discussion has been archived. No new comments can be posted.

South Carolina Department of Revenue Hacked, 3.6 Million SSNs Taken

Comments Filter:
  • Love their response (Score:2, Informative)

    by Anonymous Coward

    No worries, every single citizen of South Carolina--just call this skeevy company that offered us free credit protection and give THEM your personal info too.

    And also, the phone lines are busy. And the website doesn't actually work. And the offer is just a scam to try to try to get you on the hook for their "upgraded" service, which you'll never be able to cancel.

    Sorry, you didn't expect the state to actually PAY to fix this mess did you?

    Also, the Governor forgot to mention that one of her first acts in off

    • Re: (Score:2, Funny)

      by Anonymous Coward

      That's OK. Security's fixed now; the governor signed an executive order that made it so.

      • by Anonymous Coward

        With the GOVERNATOR, the criminal would already be dead ;)

        I'll be back!

    • by jhoegl (638955)
      I dont see South Carolina reversing anything since they dont believe in Evolution they can never evolve.
  • why bother (Score:4, Insightful)

    by Rivalz (1431453) on Friday October 26, 2012 @04:05PM (#41782163)

    obviously there is no repercussions to the vendors, administration and IT staff.

    • by AmiMoJo (196126)

      You assume they are at fault, but it is possible a zero-day vulnerability was used and there was absolutely nothing they could reasonably have done.

      Disclaimer: I didn't read TFA.

  • by Tastecicles (1153671) on Friday October 26, 2012 @04:05PM (#41782177)

    This is yet another fine example of Government security doing its usual - leaking like a sieve, in clear violation of Statutory data security requirements. I'll make a prediction right here: some anonymous H1B or lowly DEC will catch it and be fired, notwithstanding the fact that the buck should stop not there, but at the feet of the DCM or the Executive who will continue to collect seven digit salaries.

    • by penix1 (722987) on Friday October 26, 2012 @04:36PM (#41782617) Homepage

      I'll play devil's advocate here...

      The true fault lies with the lazy citizens. They demand every government agency put their stuff online so they don't have to get off their fat asses and actually do something in person. The fault lies in the citizens always screaming "no taxes to pay for the services I demand". The fault lies with the citizens screaming for "less government" yet expecting government to do everything for them. The fault lies with the citizens who demand lowest bids be accepted for contracts allowing inferior products and services.

      Two things come to mind...

      Be careful what you wish for. You just may get it!
      and
      You get what you pay for.

      • by Obfuscant (592200) on Friday October 26, 2012 @04:44PM (#41782731)

        The fault lies with the citizens screaming for "less government" yet expecting government to do everything for them.

        Sorry, mate, but I'm one of the ones who says "less government", and I also say "stop doing things for me that I can do better myself." Trying to paint all people who call for less government with the same brush as those who feel the government should be a nanny state is a mistake, and leads to a sloppy and fatally flawed argument.

        • Re: (Score:2, Insightful)

          by penix1 (722987)

          So when the crime rate goes up because of your less government you will remain silent right? When your house burns down because they closed the fire department that was closest to you you won't complain right? When the hurricane hits the east coast next week you won't have a single comment on how the government handles the response right?

          Right....

          • by Obfuscant (592200) on Friday October 26, 2012 @05:08PM (#41783005)

            So when the crime rate goes up because of your less government you will remain silent right?

            Unfortunately for your rant, the things you want to claim I've been calling for less of aren't. You don't know, so please stop making a fool of yourself.

            When the hurricane hits the east coast next week you won't have a single comment on how the government handles the response right?

            Yes, I will. I will say "those idiots who build houses on a coast that both erodes on a regular basis and is innundated by storms should not get taxpayer support in rebuilding. They chose to live there despite the dangers, they should assume the risk.

            • by AmiMoJo (196126)

              Did you ever consider that they might not have had a choice? Perhaps they were born in that area, got a job there and needed to live within commuting distance. Couldn't just up-sticks and move inland.

              I think most people would prefer not to have to be building engineering and geological experts and instead just have the government figure out what is safe and set some rules for building houses.

              • by Obfuscant (592200)

                Did you ever consider that they might not have had a choice? Perhaps they were born in that area, got a job there and needed to live within commuting distance. Couldn't just up-sticks and move inland.

                The people who build or buy $2 million homes on the beachfront were neither born there, got a job there, nor are they so poor that they cannot afford to move somewhere else. In fact, many of those million dollar homes built on stilts are VACATION properties that they are busy renting out for big bucks whenever they aren't using them. Their jobs are in DC or New York or someplace else, they aren't commuting from the Outer Banks of North Carolina.

                I think most people would prefer not to have to be building engineering and geological experts and instead just have the government figure out what is safe and set some rules for building houses.

                Yes, most people would rather have a nanny state where some c

          • by lgw (121541) on Friday October 26, 2012 @05:11PM (#41783043) Journal

            So when the crime rate goes up because of your less government you will remain silent right? When your house burns down because they closed the fire department that was closest to you you won't complain right?

            Texas has no income tax yet has fire departments, police departments, schools, roads, and so on. California has the highest income tax, yet far crappier roads (seriously, the don't even light the freeways in town, and they're full of potholes), though the schools might be better (that tends to vary more between neighborhoods than between states, though).

            Here's a clue: the "infrastructure" part of government only takes a very small government to do. Mostly, government takes your money to give it to supporters

            When the hurricane hits the east coast next week you won't have a single comment on how the government handles the response right?

            Florida has no income tax, and had great government support when 4 hurricanes hit that one year (I was living there at the time). They even had a Republican governer that stood up against insurance companies and forced the to continue offering insurance that covered hurricane damage.

            You don't need a government that vacuums all possible cash form its citizens to do the good stuff government does - you only need that only to hand over vast sums of money to governments friends.

            • by penix1 (722987)

              Florida has no income tax, and had great government support when 4 hurricanes hit that one year (I was living there at the time). They even had a Republican governer that stood up against insurance companies and forced the to continue offering insurance that covered hurricane damage.

              I couldn't let this one slide since I was in FEMA during that time...

              Florida gets far, far, far more federal dollars than it contributes especially in disaster response. Hell, there are still about 2,500 federal employees still

              • by lgw (121541)

                And collective that's a trivial part of the federal government. The "non-military, non-mailing-checks-to-supporters" part of the federal goverment -pretty much everything all active, non-military federal employees do, is about 20% of the federal budget. Probably couldn't make that work with no income tax, but it's still cheap. The federal government is a pension plan with a military -the actual productive work it does is almost an afterthought, budget-wise.

              • by Obfuscant (592200)

                Florida gets far, far, far more federal dollars than it contributes especially in disaster response.

                So? You seem to think that anyone who wants smaller government must accept no federal money under any circumstances. You can have a smaller government and still have federal aid in times of disaster. Maybe not aid to people who build in known-hazard areas, but when a hurricane rips all the way across a state, not everyone is in a known-hazard area. Or when the levies break. People who build right on the shore, and build on stilts because they know floods happen on a regular basis, however, are a different

                • by ai4px (1244212)
                  Oh my, are you crazy???? we have to take the federal money.... if you leave the money on the table, someone else will get it and we'll just end up paying for it anyway. Well, at least that seems to be the prevailing mentality. I'm convinced that between federal grant programs used to permanently fund certain departments (mating habits of indigenous gray squirrels anyone??), and unconstitutional government alphabet soup agencies, we are doomed. The last governor of SC refused to get $700M federal stimulus
          • You are totally right penix1!

            Instead of reducing government waste, we should actually increase it. Just think! Almost no crime, or fires if we had 10x the government we do now. And in order to pay for it, instead of them taking 18% of you paycheck, they will only have to take 180% of it! What a utopia that would be!

      • by Havokmon (89874) <rick@havo k m on.com> on Friday October 26, 2012 @04:52PM (#41782841) Homepage Journal

        I'll play devil's advocate here...

        The true fault lies with the lazy citizens. They demand every government agency put their stuff online so they don't have to get off their fat asses and actually do something in person. The fault lies in the citizens always screaming "no taxes to pay for the services I demand". The fault lies with the citizens screaming for "less government" yet expecting government to do everything for them. The fault lies with the citizens who demand lowest bids be accepted for contracts allowing inferior products and services.

        Two things come to mind...

        Be careful what you wish for. You just may get it! and You get what you pay for.

        Nope. SC is accepting credit cards. They are under the same requirements (PCI) as all other MERCHANTS who wish to accept credit card payments. They weren't PCI compliant (I'll go out on a limb and 'guess' that's the case), and they got hacked.

        They need pay the fine to Visa. That'll be interesting to see how that happens.

        I walked out of a company, where I built the IT and PCI Compliance, because exactly what the parent says will happen - does happen. I just got out before the morons in charge let us get hacked and I got fired for their idiocy. I can only imagine what happened to the IT guys at CardSystems.

    • by Vellmont (569020)


      This is yet another fine example of Government security doing its usual - leaking like a sieve, in clear violation of Statutory data security requirements. I

      Have you SERIOUSLY not paid any attention to the massive, massive amount of data security breaches that have occurred over the last 10+ years? MOST of them are from private industry. How many times did Sony get 0wn3d in 2011.. like 10?

      The problem really has nothing to do with "Government security doing its usual", it's a problem across the board. Yo

      • um...yes [independent.co.uk], actually [guardian.co.uk] I have [bbc.co.uk]. Those were just a few out of my bookmarks. OK, some of them were subcontractors to Government departments, but there are more than an insignificant number of breaches there that were quietly swept under the carpet that were entirely down to Government agents being either totally stupid or deliberately making sure that that data got out. Who knows how many breaches of remarkable severity go unreported?

        • by firex726 (1188453)

          Also the Governor of SC already cut funding and personnel to the state IT depts.
          So Yea, I would agree that it's not likely to have been an honest mistake and the eventual consequence pf government action.

          You can cut corners all you like but at the end of the day, security and redundancy do cost money.

  • by starfishsystems (834319) on Friday October 26, 2012 @04:06PM (#41782179) Homepage
    The horses have run. Hurry up and close that barn door!
    • by Anonymous Coward

      The first they're aware of happened on August 27, and four more happened in September [...] breached on October 10, and the security holes were closed on October 20.

      What's wrong with this picture?

      • If you're implying they learned of the attacks on 8/27 and didn't act until 10/20, you're not reading that correctly...
    • by dmdavis (949140)
      Obviously for those 16,000, closing the leak doesn't do much good. But, assuming more than 16,000 people live in South Carolina :), there are certainly some horses still in the barn to be protected.
      • by Anonymous Coward

        Forget the credit and debit card numbers. TFA "none of the Social Security numbers were encrypted". Amusing the summary cherry picked the most useless info.

  • In other news, Cybersecurity consultants have seen a 18% increase in their hourly rates in the South Carolina area.

  • by Andy Prough (2730467) on Friday October 26, 2012 @04:13PM (#41782287)
    Well - that's reassuring! So, "only" 16,000 people potentially have their life savings at risk, or are about to have their lives turned upside down? Sure is convenient that government agencies have immunity from civil liability...
    • oh, they have that in the US as well? Here it's covered by section 71 of the Serious Organised Crime and Police Act 2005, where blanket immunity is given for any public agency which turns evidence in *any* *other* *proceeding*.

      • addendum: what I don't get is this: they broke the Law, why should they get to hide behind it?

        • by Obfuscant (592200)

          addendum: what I don't get is this: they broke the Law,

          Which law? Is there a law that says government agencies must encrypt certain information when they store it? Is there one that makes the government the criminal when a real criminal breaks in and steals data?

          • In answer to your first question: Data Protection Act 1998. In answer to your second question: the same Act, under the heading "Offences by Bodies Corporate", which includes actionable negligence.

            • by Obfuscant (592200)

              In answer to your first question: Data Protection Act 1998.

              Nice try. Last time I checked, South Carolina wasn't in the UK, so the UK Data Protection Act of 1998 wouldn't apply. I think the odd spelling of "Offences" might have been a give-away. We'd have called it "Offenses".

    • by Obfuscant (592200)

      Well - that's reassuring! So, "only" 16,000 people potentially have their life savings at risk,

      Uhhh, what? None of the data was encrypted, according to the actual article. Why the summary says most of it was is a mystery. So all of the millions have their credit/debit info exposed.

      Why you are claiming they have their "life savings" at risk, I don't know that, either. A public statement of this kind pretty much puts the credit card companies on notice that their reports of fraud are going to go up, and you don't lose your life savings just because someone steals your credit card data.

      Similarly, you

  • First in Flight, last in computer interwebs
    • Re:South Carolina (Score:4, Interesting)

      by 0racle (667029) on Friday October 26, 2012 @04:23PM (#41782437)

      South Carolina - First in Flight, last in computer interwebs

      Ah the wonders of the American Education System

      • by Nyder (754090)

        South Carolina - First in Flight, last in computer interwebs

        Ah the wonders of the American Education System

        Oh, the system we don't put money in?

        • by Obfuscant (592200)

          Oh, the system we don't put money in?

          No, the system we keep throwing money at as if simply throwing money at the system would fix it.

          You can hire a thousand teachers so the class sizes are all less than one student per teacher, and as long as the teachers are hamstrung by federal requirements (and local requirements implemented to deal with federal and state requirements), you'll not get good results.

          • by Smallpond (221300)

            The classes with less than one student per teacher don't do well.

            • by Obfuscant (592200)
              How well they do depends on how good the teachers are, not the class size. You'd expect a class with more than one teacher per student to do very well, wouldn't you? Personalized instruction.

              But I'll just point out that the statement was a bit of hyperbole in a reductio ad absurdum manner. If reducing class sizes is good, then reducing them even more must be gooder, and the lower limit is somewhere below one student per teacher. That's "throwing money at the system" for a result that is absurd.

        • Wait, are you serious? Last I checked, most teachers were earning well over the US median wage, with a few of them earning much more than that. Only a handful are earning anything near a below standard salary -> we've heard it in the press, how they're earning $10-30,000 more than the median wage of the people of their surrounding community.

          On top of that, I don't know of a teacher alive who wouldn't testify against the corruption of the administrators / supervisors of their school districts. Not one.

          You

      • North Carolina claims "first in flight", and has that phrase on the license plates, and South Carolina does not. Please don't confuse North Carolina with South Carolina.

    • First to run his mouth, last in 20th century American History

    • by crazyjj (2598719) *

      NC was first in flight.

      SC was first in fight.

    • by tombeard (126886)

      "First in Flight" is a bit north of here. Try "Smiling Faces. Beautiful Places."

  • I heard our state still runs its unemployment system this way. I would think something like that would be practically self-encrypting.
    • by MBGMorden (803437)

      Don't know about the state, but the county level agencies still run a ton of OS/400 stuff written in COBOL. Suggestions to replace the aging codebase with something newer are quickly reigned in when they hear about the cost involved.

  • A social security number is just a hash code to numerically identify a person. Kind of like a full name, except a little more precise. It was my student ID for both undergrad and grad school. It has since turned int a closely guarded secret, although it is included on the paperwork of pretty much anything you sign. There's got to be a better way.

    • The SSN system is stupid, but the CC system isn't any better.

      You have to give a single set of numbers to a merchant (or other) and hope that not a single one fucks up, or you have to cancel the whole card and all the stuff (e.g. recurring payments) associated with it. It's fucking braindead, especially nowadays.

      Here we like to complain about our banks, but at least we have decent payment system where the payer and not the payee initiates the transaction, as it should. Not to mention free virtual CCs for whe

  • by gumpish (682245) on Friday October 26, 2012 @05:26PM (#41783245) Journal

    Credit freeze [wikipedia.org]

    "A credit freeze, also known as a credit report freeze, a credit report lock down, a credit lock down, a credit lock or a security freeze, allows an individual to control how a U.S. consumer reporting agency (also known as credit bureau: Equifax, Experian, TransUnion) is able to sell his or her data. The credit freeze locks the data at the consumer reporting agency until an individual gives permission for the release of the data."

    You have to pay each of these companies $10 for the privilege, but it's worth it.

    Of course, any time you need to do something that requires a credit check (take out a loan, apply to lease an apartment, apply for a job (sometimes)...), you'll have to temporarily lift the freeze, which is another fee.

    • by Chickan (1070300)
      Thanks. I moved to SC for a job (they exist here) and will need to look into this. Its crazy you have to individually call all three credit bureaus though, seems like a good way to waste a few hours.
  • Count me as someone who got directly affected by this. Some jackass opened a fraudulent PayPal Mastercard in my name last month and promptly maxed it out. I had no idea how they could have gotten my information as I'm fairly careful with it and I didn't know of anyone I did business with that had been hacked. Now I find out a month later after the damage has been done that they almost certainly got my information from SC. They have all of my current data as I had to give it to them when I moved to my curre
  • They're just data, right? Copying them doesn't take them away. You can't steal numbers.

    Applies to music and movies, applies to any other data.

The meat is rotten, but the booze is holding out. Computer translation of "The spirit is willing, but the flesh is weak."

Working...