TMCnet News

One click likely allowed hackers into breached database
[November 21, 2012]

One click likely allowed hackers into breached database


COLUMBIA, Nov 21, 2012 (The Post and Courier - McClatchy-Tribune Information Services via COMTEX) -- With one click, hackers likely were able to have their way with an S.C. Department of Revenue database that contained millions of tax records, according to a company that investigated the breach.



In a report released Tuesday, cybersecurity firm Mandiant said it thinks that on Aug. 13, a malicious email was sent to multiple Revenue Department employees.

At least one of the employees clicked the link in the email, unknowingly executing malicious software and compromising the database, according to the company.


Mandiant wrote in its report that it was unable to determine conclusively if this is how Revenue Department employee credentials used to enter the agency's systems were obtained.

The company said it based the theory on other facts discovered during its investigation.

The release of the report Tuesday came as Gov. Nikki Haley announced the resignation of Revenue Department Director James Etter, and that only taxpayers who filed electronically were compromised in the attack. People and businesses who filed paper returns were not affected, she said.

Haley said the state will be sending notification letters to those affected. People who have signed up for credit monitoring with Experian will be notified by email.

The governor said the breach affected 3.8 million individual taxpayers, 1.9 million dependents, 699,900 businesses, 3.3 million bank accounts and 5,000 credit card accounts, all of which are now expired.

For weeks, officials had said 657,000 businesses were affected by the cyberattack. Haley explained the discrepancy Tuesday by saying the state was only 95 percent certain when it announced the earlier number.

Of Etter's resignation, Haley said she still has confidence in his abilities, but "I think Jim and I both agree that we need a new set of eyes on the Department of Revenue." Etter will stay on the job until Dec. 31. He will be succeeded by Bill Blume, who now is serving as executive director of the new S.C. Public Employee Benefit Authority.

Haley struck a different tone Tuesday when describing Mandiant's findings and how the hackers attacked the Revenue Department. She said the state "absolutely" could have done more to prevent the breach. Previously, Haley has repeatedly said nothing could have been done to stop the attack.

The two central faults in the attack, Haley said, were that the Revenue Department didn't have dual verification to get into its system, and that Social Security numbers were unencrypted.

She said the lack of encryption was compliant with Internal Revenue Service requirements.

"Having said that, should we have done more Yes, we should have done more than we did," Haley said. An IRS official did not directly respond to Haley's contention, instead offering a statement.

"Protecting taxpayer data is our top priority at the IRS," wrote agency spokeswoman Michelle Eldridge. "We have many different systems with a variety of safeguards -- including encryption -- to protect taxpayer data. The IRS has in place a robust cyber security of technology, people and processes to monitor IRS systems and networks. We work closely with the states to ensure the protection of federal tax data. We have a long list of requirements for states to handle and protect federal tax information. Just as importantly, we expect the states to follow the standards of the National Institute of Standards and Technology." Haley said the state is in the process of encrypting all Social Security numbers on tax returns, and she released a letter she wrote to the IRS asking the agency to require all states to have stronger security measures for handling tax information.

"We have filers in South Carolina that file in other states, and they are not safe in other states as long as these numbers are not encrypted," she said.

Eldridge said the agency has received the letter from Haley and will be reviewing it.

Officials in neighboring Georgia and North Carolina have told The Greenville News that those states' revenue agencies encrypt all data.

Mandiant investigation Without knowing for certain how the attackers got into the Revenue Department database, Mandiant was still able to assess other aspects of the breach.

Among the company's findings: The attacker compromised 44 systems. One system had malicious "backdoor" software installed. Database backups or files were stolen from three systems. The attacker accessed 39 of the 44 systems, performing activities involving passwords and reconnaissance.

The hacker used at least 33 unique pieces of malicious software and utilities to perform the attack and steal data.

The attacker used at least four valid Revenue user accounts during the attack.

Mandiant wrote that no hacker activity has been detected since the company recommended immediate changes to Revenue Department security procedures. Longer-term improvements are in the process of being put in place, according to the company.

Haley last week detailed new cybersecurity steps the state is taking. On Tuesday, she said she also will offer additional proposals for introduction in the Legislature.

___ (c)2012 The Post and Courier (Charleston, S.C.) Visit The Post and Courier (Charleston, S.C.) at www.postandcourier.com Distributed by MCT Information Services

[ Back To TMCnet.com's Homepage ]