South Carolina is currently facing an unprecedented data breach that's drawing fire from citizens, and forcing questions about IT governance into the spotlight.
While the rest of the East Coast battled Hurricane Sandy this week, South Carolina's State Department of Revenue acknowledged the theft of tax-related data from 657,000 businesses, and up to 3.6 million individuals.
South Carolina Department of Revenue's website was hacked by a foreign hacker. The hack most likely began on August 27, was discovered on October 10, and was neutralized on October 20. Around 3.6 million Social Security numbers and 387,999 credit card and debit card numbers were exposed. A total of 16,000 payment card numbers were not encrypted.
The lack of data encryption for the SC data jumped out at nearly everyone with any knowledge of IT, putting South Carolina Governor Nikki Haley on the defensive. At a press conference this week, she said: "The industry standard is most Social Security numbers are not encrypted. A lot of banks don't encrypt. It's very complicated. It's very cumbersome. There's a lot of numbers involved with it."
That stance has drawn criticism from a range of sources, including Internet Evolution 7DEE lecturer Richard Stiennon, founder and chief research analyst at IT-Harvest, who spoke today in "Getting Security Right in the Cloud." Earlier this week, he told Computerworld:
Critical data, especially personally identifiable information, must be protected and Social Security numbers linked to names, ranks at the top
[of the list of items that need to be protected] Encryption technology is readily available for data stores. It is not cumbersome to encrypt data. To the contrary, it is easy to do and most retailers and payment processors do it regularly.
IT pros may ask, "Where was the CIO in all of this?" Oddly, Mike Garon, the former CIO at South Carolina's Department of Revenue, resigned on September 21, a resignation which, according to spokespeople, was not related to the breach.
A note to Mr. Garon received no response prior to publication.
There are several lessons for IT in this story. The main one, of course, is that the cost of security remains more acceptable than the cost of a breach. IT professionals who do not understand this could mysteriously disappear from their posts without a trace.
@Mitch Wagner - It's easy to see why SC doesn't look competent in the wake of this breach. Early on you have the governor and the state Revenue Department head saying "nothing could have prevented the breach". Now, after the investigation it showed that they could gave done a lot more.
Indeed, Joanne! Hopefully, the misfortunes of the Northeast will spur action elsewhere. South Carolina is in the hurricane alley too; it's no time to be wavering on security policies.
With industrial accidents (an explosion at a plant, or a chemical spillage, say), businesses are required to follow very precise regulations when it comes to informing people, protecting people, and addressing the damage. If they don't, they face hefty fines.
It's time we had something like OSHA holding enterprise accountable when it comes to digital disasters.
Wow, hpollard. This IT outfit gets no kudos, surely. And the government that doesn't seem to understand the technology involved is enabling them to cover their tracks pretty effectively.
As a South Carolina resident I'm living through this mess. The state did not inform the affected taxpayers. Instead, we had to call in through an 800 number to get a code we could use to get 1 year of credit protection. They did not automatically enroll everyone, due to 'privacy concerns'. There is still confusion as to which SSNs, bank accounts and credit card numbers were comprised.
They did not notify anyone of the breach until a local newspaper filed a FOI request. They were using the time to 'track down the hackers'.
At this point, they have not announced who was compromised, what was comprimised, exactly how this was accomplished and what the plan is to clean up this mess. We continue to hear that no one was to blame and there will not be discipline taken against public employees.
Ironically, the state's IT portrays itself as highly competent. Its Website calls out October as "Cyber Security Awareness Month" and describes the agency as "Leading the Way" with cyber security tips.
The ThinkerNet does not reflect the views of TechWeb. The ThinkerNet is an informal means of communication to members and visitors of the Internet Evolution site. Individual authors are chosen by Internet Evolution to blog. Neither Internet Evolution nor TechWeb assume responsibility for comments, claims, or opinions made by authors and ThinkerNet bloggers. They are no substitute for your own research and should not be relied upon for trading or any other purpose.
Facebook and Twitter are great for posting cat pictures. But are people really using social media for life-changing communications? Like, if a hurricane comes by and blows down their house?
In a standout presentation at the Jefferies 2013 Global Technology, Media & Telecom Conference in New York this week, the UK government talked about becoming a "very intelligent client."
A consumer business would have to be crazy or desperate to change call-center software in December, the peak of the holiday season. But that was exactly Positec's position.
To help enterprises deploy software faster for mobile, social, big-data, and cloud applications, IBM this week acquired development tools vendor UrbanCode.
The plan for unmanned police drones to patrol traffic and other city conditions in Seattle has sparked a new set of legal concerns about privacy. Law traditionally lags technology, but we can expect now to see a new round of activity in the courts as legal definitions begin to emerge on what "next-gen privacy" will look like.
Ontario's information privacy commissioner explains the unintended consequences of facial recognition technology and how biometric encryption can make it safer.
ITRC found that more than 600 security breaches took place in 2012. Flaws were found in some of the nation's most respected companies: Apple, Citibank, and Wells Fargo. So, it seems the bad guys are doing better than the men in the white hats.
Multi-tenant clouds assure security for clients, but not necessarily for their ideas. Here's one thing you should discuss with your cloud provider before you sign on.
The FBI recently issued a warning to smartphone users, highlighting two mobile malware applications: Loozfan, which steals personal information, and FinFisher, which is spyware that takes over a smartphone's functions.
US counterterrorism expert Richard Clarke, who came to prominence with his prescient warnings before the 9/11 attacks, tells Smithsonian Magazine the US was responsible for the Stuxnet supersmart worm that attacked parts of nuclear reactors in Iran – and in the process, has given away one of the world's most sophisticated cyberweapons.
Companies are still getting their feet wet with social networking and what employees should and shouldn't broadcast. But they don't always involve HR and PR. Here's why they should, and what they risk when they don't.
New York's Metropolitan Transit Authority is conducting a pilot test of digital kiosks to guide subway users to where they want to go more efficiently and at lower cost.
The whole Amazon.reader debate is a double-stupid. It's stupid to think that there's any e-book buyer who doesn't know Amazon's URL, and it was stupider to let ICANN launch the whole free-form TLD initiative to start with.
While NFC's original goal was to enhance mobile commerce applications, it is finding its way into a number of other uses, which is creating both opportunity as well as challenges for IT departments.
Enterprises would like to move to cloud computing but are hesitant because they are concerned about providers’ ability to secure company data. Here are some tips that help to ensure that if breaches occur, the business is not left holding the bag.
Edmunds separates customers into segments based on the info it collects on its site and from partners, and uses that to push out custom content, said Brian Baron, director of business analytics for Edmunds.com, at Predictive Analytics Innovation Summit.
The automotive website uses propensity modeling to target ads and customer registration forms, said Brian Baron, director of business analytics for Edmunds.com, at Predictive Analytics Innovation Summit.
Expert Integrated Systems: Changing the Experience & Economics of IT In this e-book, we take an in-depth look at these expert integrated systems -- what they are, how they work, and how they have the potential to help CIOs achieve dramatic savings while restoring IT's role as business innovator. READ THIS eBOOK
your weekly update of news, analysis, and
opinion from Internet Evolution - FREE! REGISTER HERE
Wanted! Site Moderators Internet Evolution is looking for a handful of readers to help moderate the message boards on our site – as well as engaging in high-IQ conversation with the industry mavens on our thinkerNet blogosphere. The job comes with various perks, bags of kudos, and GIANT bragging rights. Interested?
To save this item to your list of favorite Internet Evolution content so you can find it later in your Profile page, click the "Save It" button next to the item.
M2M: Rise of the Machines? Not Yet David Weldon In the 1970 science fiction thriller Colossus: The Forbin Project, two giant supercomputers from the United States and Soviet Union secretly join forces to take control of the collective nuclear might of the two countries. In the film, the two machines discover each other's existence, communicate back-and-forth, share their collective data, and cut their human creators out of the process. It is the ultimate example of machine-to-machine communications, or M2M. CLICK FOR MORE
M2M: Rise of the Machines? Not Yet David Weldon In the 1970 science fiction thriller Colossus: The Forbin Project, two giant supercomputers from the United States and Soviet Union secretly join forces to take control of the collective nuclear might of the two countries. In the film, the two machines discover each other's existence, communicate back-and-forth, share their collective data, and cut their human creators out of the process. It is the ultimate example of machine-to-machine communications, or M2M. CLICK FOR MORE
Email This
