S.C. tax breach began when employee fell for spear phish
A targeted phishing email delivered to an employee at the South Carolina Department Revenue opened the door for attackers to exfiltrate Social Security numbers and other personal data belonging to millions of residents, according to a report prepared by a forensic firm that investigated the mega breach.
Mandidant, a company that provides incident response services, said in its report, released Tuesday, that the attack began on Aug. 13 when a number of workers received the malware-infested phishing email. At least one employee fell for the ruse, which executed malware, stealing their username and password.
Two weeks later, the attackers used these credentials to log in to the Department of Revenue's remote access service, giving them access to the employee's computer. They then used that worker's access privileges to reach other systems and databases on the state agency's network.
A few days later, using a utility tool, the saboteurs obtained account passwords for many other users, and in the next two weeks, used these credentials to "interact" with and conduct reconnaissance on a multitude of servers. On Sept. 12, the attackers began taking action, and over the next two days, compressed database backup files into 14 encrypted archives containing 8.2 GB of data, which they shipped out to a server they owned.
While they did not conduct any other malicious activity, the fraudsters maintained unhampered access to the Revenue Department's network until roughly the middle of October.
When the smoke cleared, the damage was astonishing. Gov. Nikki Haley told reporters on Tuesday that the Social Security numbers of 3.8 electronic tax filers, as well as 1.9 million of their dependents, were stolen, according to updated figures. In addition, nearly 700,000 businesses, 3.3 million bank accounts and 5,000 expired credit cards were compromised.
"The main question that I asked Mandiant yesterday was, 'Did we have a chance to do a better job," Haley said. "And we did."
She said the agency failed to protect the data because it did not require two-factor authentication to get into the systems housing the personal information. As well, the department failed to encrypt the data.
"When you combine the fact that we had 1970 equipment...with the fact that we were IRS-compliant was a cocktail for attack," she said. "And the reason I say this is the IRS, which we were compliant with, does not believe you have to encrypt Social Security numbers."
Haley said she has sent a letter to the federal tax collector, requesting that it instills encryption requirements for Social Security numbers. An IRS spokesman did not immediately respond to a request for comment from SCMagazine.com.
"Protecting taxpayer data is our top priority at the IRS," it said. "We have many different systems with a variety of complex safeguards -- including encryption -- to protect taxpayer data. The IRS has in a place a robust cyber security process involving technology, people and processes to monitor IRS systems and networks. We work closely with the states to ensure the protection of federal tax data. We have a long list of requirements for states to handle and protect federal tax information. Just as importantly, we expect the states to follow the standards of the National Institute of Standards and Technology."