S.C. tax breach began when employee fell for spear phish

Share this article:

A targeted phishing email delivered to an employee at the South Carolina Department Revenue opened the door for attackers to exfiltrate Social Security numbers and other personal data belonging to millions of residents, according to a report prepared by a forensic firm that investigated the mega breach.

Mandidant, a company that provides incident response services, said in its report, released Tuesday, that the attack began on Aug. 13 when a number of workers received the malware-infested phishing email. At least one employee fell for the ruse, which executed malware, stealing their username and password.

Two weeks later, the attackers used these credentials to log in to the Department of Revenue's remote access service, giving them access to the employee's computer. They then used that worker's access privileges to reach other systems and databases on the state agency's network.

A few days later, using a utility tool, the saboteurs obtained account passwords for many other users, and in the next two weeks, used these credentials to "interact" with and conduct reconnaissance on a multitude of servers. On Sept. 12, the attackers began taking action, and over the next two days, compressed database backup files into 14 encrypted archives containing 8.2 GB of data, which they shipped out to a server they owned.

While they did not conduct any other malicious activity, the fraudsters maintained unhampered access to the Revenue Department's network until roughly the middle of October.

When the smoke cleared, the damage was astonishing. Gov. Nikki Haley told reporters on Tuesday that the Social Security numbers of 3.8 electronic tax filers, as well as 1.9 million of their dependents, were stolen, according to updated figures. In addition, nearly 700,000 businesses, 3.3 million bank accounts and 5,000 expired credit cards were compromised.

"The main question that I asked Mandiant yesterday was, 'Did we have a chance to do a better job," Haley said. "And we did."

She said the agency failed to protect the data because it did not require two-factor authentication to get into the systems housing the personal information. As well, the department failed to encrypt the data.

"When you combine the fact that we had 1970 equipment...with the fact that we were IRS-compliant was a cocktail for attack," she said. "And the reason I say this is the IRS, which we were compliant with, does not believe you have to encrypt Social Security numbers."

Haley said she has sent a letter to the federal tax collector, requesting that it instills encryption requirements for Social Security numbers. An IRS spokesman did not immediately respond to a request for comment from SCMagazine.com.

The governor also announced that, as a result off the breach, Department of Revenue Director Jim Etter will resign as of Dec. 31.
 
UPDATE: IRS spokesman Eric Smith emailed this statement:

"Protecting taxpayer data is our top priority at the IRS," it said. "We have many different systems with a variety of complex safeguards -- including encryption -- to protect taxpayer data. The IRS has in a place a robust cyber security process involving technology, people and processes to monitor IRS systems and networks. We work closely with the states to ensure the protection of federal tax data. We have a long list of requirements for states to handle and protect federal tax information. Just as importantly, we expect the states to follow the standards of the National Institute of Standards and Technology."


 
Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

More in News

CryptoWall surpasses CryptoLocker in infection rates

CryptoWall surpasses CryptoLocker in infection rates

A threat analysis from Dell SecureWorks CTU says that CryptoWall has picked up where its famous sibling left off.

Professor says Google search, not hacking, yielded medical info

Professor says Google search, not hacking, yielded medical ...

A professor of ethical hacking at City College San Francisco came forward to clarify that he did not demonstrate hacking a medical center's server in a class.

Syrian Malware Team makes use of enhanced BlackWorm RAT

Syrian Malware Team makes use of enhanced BlackWorm ...

FireEye analyzed the hacking group's use of the malware, dubbed the "Dark Edition" of BlackWorm.