The reasons behind South Carolina Department of Revenue (DoR) data breach are more than shocking . All state agencies have some type of computer security system in place, but there is NO mandatory policy, standards, monitoring or enforcement for each of the approximately 100 state agencies, boards, commissions, colleges and universities that operate computers, the state’s inspector general says.
The DOR breach, the biggest in the state’s history, exposed 3.6 million Social Security numbers, 387,000 mostly encrypted credit or debit card numbers and information belonging to more than 650,000 businesses. The agency’s computer system was breached four times, officials have said, and the data was exposed in September. The later reports push the numbers even high.
A former top official with the FBI said that if just 1 percent of the taxpayers and businesses whose information was hacked in September at the Revenue Department have their information misused it could cost them more than $350 million, based upon past FBI experience.
What caused it?
The state had two main vulnerabilities. There was no dual verification required to get into the system and the social security data had no encryption. Interestingly, Internal Revenue Service (IRS), does not mandate the data encryption.The IRS is the revenue service of the United States federal government. The agency is a bureau of the Department of the Treasury, and is under the immediate direction of the Commissioner of Internal Revenue. The IRS is responsible for collecting taxes and the interpretation and enforcement of the Internal Revenue Code.
Two simple concepts of information security were ignored here:
1. ‘Need based access’ – violated and no additional authentication !! All users have access to all stuff kind of access controls was implemented.
2. ‘No data encryption’ rules were enforced for critical data as it is not mandated. Compliance took front seat and not a risk based threat assessment.
- Why the top management view of information technology is so inadequate?
- What happened to the IT Governance, in the US Government?
- Why the compliance standards could not be applied to a public body?
- What happened to the concurrent or statutory IT Audit?
- Why risk assessments could not prevent this, if conducted?and many more questions .. that remain unanswered !