Lack of Security Policy behind Columbia’s BIGGEST breach

The reasons behind South Carolina Department of Revenue (DoR) data breach are more than shocking . All state agencies have some type of computer security system in place, but there is NO mandatory policy, standards, monitoring or enforcement for each of the approximately 100 state agencies, boards, commissions, colleges and universities that operate computers, the state’s inspector general says.

The Breach

The DOR breach, the biggest in the state’s history, exposed 3.6 million Social Security numbers, 387,000 mostly encrypted credit or debit card numbers and information belonging to more than 650,000 businesses. The agency’s computer system was breached four times, officials have said, and the data was exposed in September. The later reports push the numbers even high.

A former top official with the FBI said that if just 1 percent of the taxpayers and businesses whose information was hacked in September at the Revenue Department have their information misused it could cost them more than $350 million, based upon past FBI experience.

What caused it?

Apparently, they do NOT have an effective data security policy which is more than clear from the statement made by Senator Vincent Sheheen, who narrated the entire episode a week ago – “when a group of us simply asked the Administration and the Department for a copy of the DOR data security policy so we could better understand what went so terribly wrong, we got this – an answer you would expect in a third world banana republic- we were essentially told that they couldn’t tell us the policy that had failed so badly because it might “further compromise” security. I would have laughed if it hadn’t made me want to cry”
The state had two main vulnerabilities. There was no dual verification required to get into the system and the social security data had no encryption. Interestingly, Internal Revenue Service (IRS), does not mandate the data encryption.The IRS is the revenue service of the United States federal government. The agency is a bureau of the Department of the Treasury, and is under the immediate direction of the Commissioner of Internal Revenue. The IRS is responsible for collecting taxes and the interpretation and enforcement of the Internal Revenue Code.

Two simple concepts of information security were ignored here:

1. ‘Need based access’ – violated and no additional authentication !! All users have access to all stuff kind of access controls was implemented.

2. ‘No data encryption’ rules were enforced for critical data as it is not mandated. Compliance took front seat and not a risk based threat assessment.

Few questions?

  1. Why the top management view of information technology is so inadequate? 
  2. What happened to the IT Governance, in the US Government? 
  3. Why the compliance standards could not be applied to a public body? 
  4. What happened to the concurrent or statutory IT Audit? 
  5. Why risk assessments could not prevent this, if conducted?and many more questions .. that remain unanswered !


3 thoughts on “Lack of Security Policy behind Columbia’s BIGGEST breach

Comments are closed.