Data Breach Could Cost State $12 Million
More people taking advantage of monitoring service as investigation into breach continues.
At the third press conference in five days after it was announced that a data breach saw 3.6 million Social Security numbers accessed by a hacker, Gov. Nikki Haley said that progress is being made to protect the personal data of South Carolina citizens from further harm.
While efforts continue to limit the damage the breach has caused to individual taxpayers, the cost for doing so could end up costing the state as much as $12 million.
Haley said that so far 533,000 people had called the toll-free number and 287,000 had signed up for credit monitoring. Haley also said that average wait times for those calling in had fallen from 12 minutes to 10.
Go to the website protectmyid.com/scdor and enter the code SCDOR123 or call 1-866-578-5422.
The consumer credit agency Experian is charged with monitoring credit reports and will include reports from the other two major reporting agencies, TransUnion and EquiFax. Taxpayers can sign up free of charge from now through the end of January and have their credit report monitored for a year and receive fraud resolution for life.
The year-long monitoring service usually costs $49.95, but Haley said negotiations with Experian resulted in a cap for the state to pay no more than $12 million. If all those affected by the breach took advantage of the service, the cost would be upwards of $18 million.
Appearing at the press conference with Haley was SLED Chief Mark Keel and Department of Revenue Director James Etter.
Keel offered little in the way of explanation as to the reason why 16 days passed between the time the data was breached and the time the public was made aware of it. Keel said, to go public would have jeopardized the investigation and for the same reason he was limited in the amount of information he was able to provide at Tuesday’s session.
Haley reiterated that the parties responsible for the breach were “creative” and “sophisticated.” She also noted that entities such as Google, the CIA and the White House had been breached. “This is the world we live in. Everyone wants to blame someone for this, but this person responsible is a hacker overseas. There is nothing that the Department of Revenue could have done."
D.P
1:23 pm on Tuesday, October 30, 2012
Writer and Editor should do a spell check before publishing!
Ray Riverdove
1:54 pm on Tuesday, October 30, 2012
I stopped reading at "weight time" - please spell check.
Lindsay Street
2:27 pm on Tuesday, October 30, 2012
Thank you both for catching the mistakes! Edits have been made — not by me but it appears another editor has cleaned it up.
And to be fair, spell check wouldn't have caught "weight time" since it was correctly spelled, just incorrectly used. Again thank you for your vigilance!
SDR
4:42 pm on Tuesday, October 30, 2012
Ewe are write a boat spell Czech.
Shawn Drury
2:51 pm on Tuesday, October 30, 2012
Thanks for the catch and thanks Lindsay!
Carol P.
4:31 pm on Tuesday, October 30, 2012
Maybe if everyone would stop filing their tax's this would stop. What kind of security does the public have, and WHY DO WE HAVE TO PAY TAX's IF WE ARE NOT PROTECTED!!! It took me an entire day off work to get our family protected and for no fault of our own. What kind of a place do we live in.
SDR
4:40 pm on Tuesday, October 30, 2012
"There is nothing that the Department of Revenue could have done."
That is a lie.
This will haunt generations of SC citizens for years. Those holding the information will wait and wait and then wait some more. Then they will file fraudulent tax returns, apply for, receive and use lines of credit and a whole host of things quickly. Then move on to the next number.
Experian will just let you know it has happened....if you still subscribe ten years from now.
Mike N.
3:17 pm on Wednesday, October 31, 2012
"There is nothing that the Department of Revenue could have done."
She may be correct. The breach might have come in the same way the Banker computer viruses behave: an employee with access to the DOR systems clicked on a Spear Phishing email and the computer was infected. Then the hacker had full access to anything the employee's computer had access to, including being able to intercept communications.
Even encrypted credit card numbers would leak if the infected computer had access to the program that decrypts the credit card numbers.
GunnyHighway
10:54 pm on Wednesday, October 31, 2012
Spear phishing attacks are defendable. The first defense is User Training. But that costs money... You need to develop or buy the training programs and you need to pay your employees while they get trained. Then you need to harden your network so that the if the attack is successful, the data is contained in your network and is not allowed to be transmitted to the attacker. Encryption of the data would lessen the chances of a leak by reducing the number of computers that had access to the unencrypted data, thereby making it even more difficult to steal.
Haley needs to stop making excuses and take ownership of this problem. She needs to fire the DOR CIO immediately! This was preventable and anyone who says otherwise is part of the problem!
Mike N.
6:10 am on Thursday, November 1, 2012
>Spear phishing attacks are defendable. The first defense is User Training.
The attackers are increasingly sophisticated. User Training only goes so far. They can take over the email of a coworker and send an attachment that looks just like a routine attachment the coworker sends.
>Then you need to harden your network so that the if the attack is successful, the data is contained in your network and is not allowed to be transmitted to the attacker.
The only way to do this is to completely disallow web browsing on the DOR access computer. Otherwise as soon as the employee logs into the web proxy - boom the hacker has control of their computer.
> Encryption of the data would lessen the chances of a leak by reducing the number of computers that had access to the unencrypted data, thereby making it even more difficult to steal.
With full access to the computer system - sooner or later they'll have access to the program that decrypts the credit cards.
Not saying that this attack was so sophisticated, but the only 99% secure solution is a completely separate network that would require a Stuxnet-style attack to jump and collect data.
Carol P.
4:43 pm on Tuesday, October 30, 2012
Someone needs to get this resolved and NOW.. Why should it cost the tax payers, this is no error of our's. Count the number of hours we will spend calling the credit bureaus, credit card companies, and banks for our checking accounts. I was told by BOA to close my checking and saving and open new. Who is paying for all the checks I just purchased. This has me ferious. Guess I should have never left NC for SC.
rb
7:27 pm on Tuesday, October 30, 2012
Gov. Haley said steps have been taken to protect the personal data of South Carolina citizens from further harm...kind of like closing the barn door after the cow gets out.
GunnyHighway
12:24 am on Wednesday, October 31, 2012
"There is nothing that the Department of Revenue could have done."
Typical cop-out by the Gov, and completely false. She wants us to believe that security breaches are inevitable, that nothing is secure. So why bother even trying? If this is true, why not just go ahead and post all our SS numbers and credit card info on a website for the crooks to download? Think of all the money that could be saved, instead of wasting it on useless computer security.
This was a failure on someone's part to do their job, and Haley's refusal to hold anyone responsible is a failure of leadership. Cronyism at its best. Effective security isn't easy, but it is possible. We should not be forced to accept mediocre performance from our government officials.
Karen
2:58 am on Thursday, November 1, 2012
This, in my opinion, has been a very slow and lax reaction to this crisis on the part of the SC state gov't. When this happened to a friend of mine in CA, they were given a year's membership with Lifelock, that essentially does all of the calling for you, to all of your credit cards, bank accounts and puts not only surveillance on your SocSec records, but also puts a freeze and fraud alert everything for you. It's ridiculous that the citizens of SC have the headache of doing this all ourselves.
Mike N.
6:14 am on Thursday, November 1, 2012
> year's membership with Lifelock, that essentially does all of the calling for you, to all of your credit cards, bank accounts and puts not only surveillance on your SocSec records, but also puts a freeze and fraud alert everything for you
Lifelock doesn't freeze your credit - it is only a fraud alert system; you find out after someone has opened credit in your name.