Why I'm Upset About the S.C. Department of Revenue Breach

Tuesday, December 04, 2012

Kelly Colgan


My name is Nate Spurrier. I’m a South Carolina taxpayer, and therefore, a potential victim of the massive South Carolina Department of Revenue Breach. I work in the identity theft and data risk industry, so when I heard about how everything was being handled and what was being offered, I was upset.

When news broke that there had been a breach at the state's Department of Revenue, I knew the ramifications—to consumers, the government, and other agencies, would be severe. At this point in time, more than one month since the announcement of the Oct. 26 breach, state residents still don’t have answers. Let me give it to you straight.

The state Department of Revenue proved that it had not invested the proper amount of time and energy in security. It didn’t use basic safeguards to protect consumer data such as two-factor authentication, encryption, and employee training. The main cause of this breach was a spear-phishing attack. A spear-phishing email is typically sent to one individual and includes a link leading to a fake website requesting personal information such as a username and password. Sometimes, the recipient is required to download a file. These types of emails are sent every day. With basic knowledge and minimal training, most recipients learn to not click links from unknown senders and better yet, they definitely know to never provide username and password information.

At IDentity Theft 911, we say that you’re only as strong as your weakest link. With this in mind, businesses should ask:

  • • Do I have the proper security measures in place?
  • • Where are my potential vulnerabilities?
  • • What may employees be lacking in terms of training and knowledge?

Encryption and two-factor authentication are standard with any business that maintains personal information, never mind a state’s tax agency.

So what’s next for state taxpayers? Probably some instances of identity theft. The government has shown how little it understands when it comes to data breach risks. Initially, one year of credit monitoring was offered. Not long after that announcement, questions started circulating about identity theft occurrences after one year. Since identity theft can cover a many areas (medical, financial, criminal, employment, tax, etc.) over a person’s lifetime, the government decided to extend the package indefinitely. Even worse, after the initial announcement of the breach, the government had to update the public with more bad news: Sensitive business information also had been exposed. From the perspective of an informed citizen, my confidence in our state government is low.

Here’s my advice: As a consumer, educate yourself on how to identify whether you’re an identity theft victim. We may not always have the power to control our personal information (how it’s stored, managed, and destroyed), but we can be aware of the warning signs of identity theft. Watch out for late payment notices, declined loan applications, etc. Ensure you’re actively managing all aspects of your identity portfolio, including credit reports, tax records, and medical records. While a credit monitoring package provides some protection, it does not prevent identity theft or even identify every form of identity theft.

Aside from the potentially lifelong issue identity theft can bring to a victim, the biggest issue is how little citizens understand the risks associated with this breach and how little the government has done to protect their own citizens.

Nate Spurrier is Director of Business Development for IDentity Theft 911.

Possibly Related Articles:
General Budgets Enterprise Security Policy Security Awareness Security Training Phishing Breaches DB Vulns
Information Security
breaches Identity Theft Personally Identifiable Information Consumers
Post Rating I Like this!
Tom Coats It is a sad statement that state (and federal) agencies don't seem to understand data security, even after so many years of repeated breaches so often evidence of a lack of appreciation of the value of the information. "My performance evaluation is based on reducing cost not on your credit rating." There are many motivational reasons that this happens again and again. You essentially need Data Security to be defined as a goal and measured. That in government means voting for and hiring people who see this as a goal.
The idea that government should be essentially incompetent otherwise people might think it worth paying for definitely has relevance here. Here as in the case in private industry security is seen only as a cost and the value of damage avoided is very difficult to demonstrate when faced with the determined cost-cutting bureaucrat/manager.

And the even sadder thing is that as you suggest the actions to reduce the risk and reduce the damage are much lower if taken before the breach occurs. Just one bureaucrat with the right job description can provide the guidance and leadership, SEIM and GRC tools are cool but you can prevent so much more with a security culture. Management through goals hire somebody vote for somebody who has the goal of preventing such idiocy in the future. Competant government is possible but only if you want it. (And thirty years of not wanting it has take its toll)
Marc Quibell Two-factor...encryption are considered best practices, and are not the "standard". It is still not widely employed, unfortunately. I appreciate the attempt to advertise his (Nate's) business however. And now with cloud computing it is easier than ever to log right into someone's internal network.

Exactly Tom Coats, I agree 100%. And to add to that, the government has absolutely nothing at stake here. They have no "company image" risks. They have no job loss risk, no responsibilities to anyone for that matter, as oppose to say....the risks private businesses have and take every day. It's not that they don't understand, they just lack motivation to do what is right.
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.