COLUMBIA, S.C. -- A single malicious email sent to workers at the South Carolina Department of Revenue last August enabled an international hacker to crack into state computers and gain access to 3.8 million tax returns, including Social Security numbers and bank account information, in what experts say is the biggest cyber-attack ever against a state government, according to details in a report released Tuesday.
“We were a cocktail for an attack,” Gov. Nikki Haley said, referring to the necessary ingredients for cyberassault, as she released a report by a computer security firm Mandiant, which was commissioned to investigate the data breach. At the same time, Haley accepted the resignation of her Department of Revenue director, Jim Etter, and acknowledged that state officials “could have done more” to protect the personal data of state residents.
The release of the report came amid a mounting political uproar here over the cyberattack and criticism of Haley over her handling of the issue.
“I’ve gotten more phone calls and emails about this than anything else in the last four years,” said Tom Davis, a state senator and former chief of state to Gov. Mark Sanford. “There’s a great degree of anger and frustration over what happened. This is information you’ve got to give the government; if you don’t, they put you in jail. There’s a real sense of betrayal,” he said.
According to the Mandiant report, the cyberattack, which state sources say is believed to have originated inside Russia, started with a “phishing” scheme, a common tactic used by cyber criminals.
Last Aug. 13, a hacker sent multiple South Carolina Department of Revenue employees a malicious email containing an embedded link containing malware or a computer virus. When at least one of the employees clicked on the link, the malware was activated and allowed the hacker to steal the employee’s user name and password.
From there, the hacker was off to the races. Two weeks later, the attacker logged onto the remote-access service for Department of Revenue computers, using the credentials of an employee who had clicked on the Aug. 13 email. The invader then “leveraged the user’s access rights to access other Department of Revenue systems and databases with the user’s credentials,” the report states.
The attacker performed “reconnaissance activities” over the next several weeks, then started copying large amounts of data and transferring them onto zip files that were moved onto the Internet. The breach was not discovered until the Secret Service notified state officials on Oct. 10 that it had uncovered information that data on three state residents had been stolen.
Since then, Haley and other state officials have scrambled to react as the magnitude of the attack has become increasingly apparent. In addition to 3.8 million tax returns, including the Social Security numbers of 1.9 million children and other dependents, the hackers got access to data on 699,900 business tax returns and 3.3 million bank accounts.
The attack has exposed vulnerabilities that experts say will cause state governments across the country to reexamine their cyber-defenses. Although South Carolina had encrypted credit card numbers according to industry standards, it had never encrypted the Social Security numbers. And some cyber experts say there is evidence that that data may now be marketed on Internet black market sites that peddle personal information on millions of Americans.
Haley on Tuesday blamed the federal government for not requiring Social Security numbers to be encrypted. She released a letter to IRS Commissioner Steven Miller “to strongly encourage the Internal Revenue Service to require all states to have stronger security measures for handling federal tax information, particularly encryption of tax information that is stored or ‘at rest.’”