South Carolina is currently facing an unprecedented data breach that's drawing fire from citizens, and forcing questions about IT governance into the spotlight.
While the rest of the East Coast battled Hurricane Sandy this week, South Carolina's State Department of Revenue acknowledged the theft of tax-related data from 657,000 businesses, and up to 3.6 million individuals.
South Carolina Department of Revenue's website was hacked by a foreign hacker. The hack most likely began on August 27, was discovered on October 10, and was neutralized on October 20. Around 3.6 million Social Security numbers and 387,999 credit card and debit card numbers were exposed. A total of 16,000 payment card numbers were not encrypted.
The lack of data encryption for the SC data jumped out at nearly everyone with any knowledge of IT, putting South Carolina Governor Nikki Haley on the defensive. At a press conference this week, she said: "The industry standard is most Social Security numbers are not encrypted. A lot of banks don't encrypt. It's very complicated. It's very cumbersome. There's a lot of numbers involved with it."
That stance has drawn criticism from a range of sources, including Internet Evolution 7DEE lecturer Richard Stiennon, founder and chief research analyst at IT-Harvest, who spoke today in "Getting Security Right in the Cloud." Earlier this week, he told Computerworld:
Critical data, especially personally identifiable information, must be protected and Social Security numbers linked to names, ranks at the top
[of the list of items that need to be protected] Encryption technology is readily available for data stores. It is not cumbersome to encrypt data. To the contrary, it is easy to do and most retailers and payment processors do it regularly.
IT pros may ask, "Where was the CIO in all of this?" Oddly, Mike Garon, the former CIO at South Carolina's Department of Revenue, resigned on September 21, a resignation which, according to spokespeople, was not related to the breach.
A note to Mr. Garon received no response prior to publication.
There are several lessons for IT in this story. The main one, of course, is that the cost of security remains more acceptable than the cost of a breach. IT professionals who do not understand this could mysteriously disappear from their posts without a trace.
@Mitch Wagner - It's easy to see why SC doesn't look competent in the wake of this breach. Early on you have the governor and the state Revenue Department head saying "nothing could have prevented the breach". Now, after the investigation it showed that they could gave done a lot more.
With industrial accidents (an explosion at a plant, or a chemical spillage, say), businesses are required to follow very precise regulations when it comes to informing people, protecting people, and addressing the damage. If they don't, they face hefty fines.
It's time we had something like OSHA holding enterprise accountable when it comes to digital disasters.
As a South Carolina resident I'm living through this mess. The state did not inform the affected taxpayers. Instead, we had to call in through an 800 number to get a code we could use to get 1 year of credit protection. They did not automatically enroll everyone, due to 'privacy concerns'. There is still confusion as to which SSNs, bank accounts and credit card numbers were comprised.
They did not notify anyone of the breach until a local newspaper filed a FOI request. They were using the time to 'track down the hackers'.
At this point, they have not announced who was compromised, what was comprimised, exactly how this was accomplished and what the plan is to clean up this mess. We continue to hear that no one was to blame and there will not be discipline taken against public employees.
Ironically, the state's IT portrays itself as highly competent. Its Website calls out October as "Cyber Security Awareness Month" and describes the agency as "Leading the Way" with cyber security tips.
The ThinkerNet does not reflect the views of TechWeb. The ThinkerNet is an informal means of communication to members and visitors of the Internet Evolution site. Individual authors are chosen by Internet Evolution to blog. Neither Internet Evolution nor TechWeb assume responsibility for comments, claims, or opinions made by authors and ThinkerNet bloggers. They are no substitute for your own research and should not be relied upon for trading or any other purpose.
The plan for unmanned police drones to patrol traffic and other city conditions in Seattle has sparked a new set of legal concerns about privacy. Law traditionally lags technology, but we can expect now to see a new round of activity in the courts as legal definitions begin to emerge on what "next-gen privacy" will look like.
ITRC found that more than 600 security breaches took place in 2012. Flaws were found in some of the nation's most respected companies: Apple, Citibank, and Wells Fargo. So, it seems the bad guys are doing better than the men in the white hats.
The FBI recently issued a warning to smartphone users, highlighting two mobile malware applications: Loozfan, which steals personal information, and FinFisher, which is spyware that takes over a smartphone's functions.
US counterterrorism expert Richard Clarke, who came to prominence with his prescient warnings before the 9/11 attacks, tells Smithsonian Magazine the US was responsible for the Stuxnet supersmart worm that attacked parts of nuclear reactors in Iran – and in the process, has given away one of the world's most sophisticated cyberweapons.
Companies are still getting their feet wet with social networking and what employees should and shouldn't broadcast. But they don't always involve HR and PR. Here's why they should, and what they risk when they don't.
The whole Amazon.reader debate is a double-stupid. It's stupid to think that there's any e-book buyer who doesn't know Amazon's URL, and it was stupider to let ICANN launch the whole free-form TLD initiative to start with.
Enterprises would like to move to cloud computing but are hesitant because they are concerned about providers’ ability to secure company data. Here are some tips that help to ensure that if breaches occur, the business is not left holding the bag.
Edmunds separates customers into segments based on the info it collects on its site and from partners, and uses that to push out custom content, said Brian Baron, director of business analytics for Edmunds.com, at Predictive Analytics Innovation Summit.
The automotive website uses propensity modeling to target ads and customer registration forms, said Brian Baron, director of business analytics for Edmunds.com, at Predictive Analytics Innovation Summit.
Expert Integrated Systems: Changing the Experience & Economics of IT In this e-book, we take an in-depth look at these expert integrated systems -- what they are, how they work, and how they have the potential to help CIOs achieve dramatic savings while restoring IT's role as business innovator. READ THIS eBOOK
your weekly update of news, analysis, and
opinion from Internet Evolution - FREE! REGISTER HERE
Wanted! Site Moderators Internet Evolution is looking for a handful of readers to help moderate the message boards on our site as well as engaging in high-IQ conversation with the industry mavens on our thinkerNet blogosphere. The job comes with various perks, bags of kudos, and GIANT bragging rights. Interested?