SC

SC Breach: The Cost

HUNDREDS OF MILLIONS OF DOLLARS LIKELY TO BE LOST The failure of S.C. Gov. Nikki Haley’s Department of Revenue (SCDOR) to adequately protect tax information for hundreds of thousands of South Carolina businesses could wind up costing them hundreds of millions of dollars. In fact if cyber thieves were to hit…

HUNDREDS OF MILLIONS OF DOLLARS LIKELY TO BE LOST

The failure of S.C. Gov. Nikki Haley’s Department of Revenue (SCDOR) to adequately protect tax information for hundreds of thousands of South Carolina businesses could wind up costing them hundreds of millions of dollars.

In fact if cyber thieves were to hit only one percent of the 650,000 businesses whose tax information was exposed during a recent security breach – the tab could be in the neighborhood of $340 million.  This preliminary estimate was made by Chris Swecker, a former high-ranking official with the Federal Bureau of Investigation who appeared at a cyber security panel convened this week by S.C. State Treasurer Curtis Loftis.

Loftis’ office scheduled the panel prior to the breach becoming public knowledge – although its deliberations have obviously taken on a new sense of urgency.

The breach is also being investigated by a S.C. Senate subcommittee led by Sen. Kevin Bryant (R-Anderson).

Beginning on August 27, hackers began infiltrating SCDOR’s computer network – stealing the business tax information along with 3.8 million Social Security numbers and nearly 400,000 credit and debit card numbers.  South Carolina officials never knew they had been hacked.  In fact it wasn’t until October 10 that they were alerted to the breach by federal law enforcement authorities.  It took another sixteen days for South Carolinians to learn that their data had been compromised.

Haley’s administration initially claimed that no business information had been stolen during the unprecedented breach.  She also stated that “nothing could have been done” to prevent the hack – and that South Carolina had used “industry standard” security measures.

All of these claims have been proven false.

Not only that, Haley has yet to take responsibility for the hack.  In fact her SCDOR director was one of several state agency heads to receive a 7 percent pay raise this week.

It’s a great day in South Carolina,” right?

***

 

Related posts

SC

South Carolina Elementary School: Air Quality Concerns Led To Teacher Transfers

Callie Lyons
SC

Charleston Police Release Statement, Initial Report On Death Of Boeing Whistleblower

Dylan Nolan
SC

Constitutional Carry Becomes The Law In South Carolina

Dylan Nolan

20 comments

LD November 14, 2012 at 8:17 am

Since everyone now says “I didn’t vote for Haley”, how did she get elected?

Reply
Ol'Rufus November 14, 2012 at 8:33 am

I voted for her. I’d have second thoughts about voting for her again but not because of this. Would this breech have happened under a Sheheen administration? In all likelihood yes.

I’m an IT guy, nothing about this is unusual at all. While Haley should take the blame for what happened after the breech, she didn’t design the system, she didn’t manage the system and the system predates her administration by more than five years (if my sources are correct). Google “state computer hacked” and you’ll discover a number of states systems have been successfully breeched in the last year, among them Utah, Ohio and Florida.

This is exactly what happens when security is performed by the lowest bidder.

Reply
Johnny November 14, 2012 at 8:45 am

Haley lied about the breech in her press conference and to vote for a well known habitual liar should be unconstitutional. At least Sheheen has integrity which defines him. Haley has repeated corruption which defines her.

Reply
Smirks November 14, 2012 at 8:50 am

Would this breech have happened under a Sheheen administration? In all likelihood yes.

I would actually agree with that, to a point.

Haley’s response to the Medicaid leak should have included stepping up security across the board, though. The Medicaid leak and the DoR intrusion are two different breaches, one from the inside out and one from the outside in, but they are leaks nonetheless and should have been caught very quickly (we’re talking about moving a shitload of information from inside a secure network to the outside world, alarms should be going off bigtime either way).

I can’t say if Sheheen would have responded any better than Haley, or if such a response could have actually prevented this attack, but I would be more likely to defend a governor who did take at least some steps to significantly improve security. The fact that this information was not ever encrypted, though, is proof positive that SCDoR has been fucking up for a very long time, definitely before Haley.

Haley’s response to this incident, though, has been absolutely dreadful.

Reply
Ol'Rufus November 14, 2012 at 9:23 am

The DoD Medical Examination network was breeched about a year ago. Forensic reconstruction points directly at the Chinese Gov’t. Most were Administrators were initially unconcerned about the breech until someone pointed out that all of the information needed to construct fake identities from SSNs to medical records was present on the server – and many of people whose records were stolen had or will have gov’t security clearances. Gov’ts response – “…we’ll close the barn door”. No help provided to any of those at risk at all, in fact, no notice was provided.

In March of this year hackers found a weakness in a server configuration and stole 780,000 records from Utah’s Medicaid servers (who knew Utah had so many poor people…). Utah set out a plan very similar to SC’s.

The Pentagon is attacked 24/7/365 with occasional successes even though they have an entire command (Cyber Command run by the Air Farce) dedicated to protecting network infrastructure.

Only through multi-layer encryption, high level password combined with physical media security and intentional active network protection/monitoring via honeypots, pseudoservers and all kinds of computer trickery can networks be mostly protected. Most agencies can’t afford this kind of protection, most users won’t put up with the additional step required by high level security and just as soon as we get it set up, someone will figure out how to breech it.

If you have information on a server linked to the internet or even attainable through a wired or wireless entry point – your information is at risk

Reply
Dr. D November 14, 2012 at 9:43 am

Johnny is correct! She lied! She has proven to have a pathology for lying, just like O’Bama. Along with one pathology usually come others in almost every personality with pathologies.
Haley has proven herself as a self serving individual and is alleged as to have sexual perversions also. In my opinion these allegations are almost assuredly accurate also, they tend to be found together. Not just affairs of the heart and body; but, the inability to control ones sexual perversions (multiple partners, bisexual activity, etc.), inability to control aberration for the truth, the use of others in order to promote ones self self above all else (narcicissm)!
Haley exhibts all of the above and I’m sure others.

Reply
Todd November 14, 2012 at 8:31 am

She is having a press conference today in which she will accept responsibility but will still blame it on her period.

Reply
James November 14, 2012 at 8:48 am

I can’t even stand the sight of hippo teeth needless to say listen to her tell more lies at ANOTHER press conference. She just loves getting in front of the camera regardless.

Reply
Smirks November 14, 2012 at 8:41 am

The cost to the taxpayer to cover credit monitoring and other responses is bad enough, but the worst part is when people start becoming victims and having to deal with their identity being stolen. Because of this fuck up of epic proportions, that could easily happen to any of us and through no fault of our own. Even if you are protected with some kind of money guarantee, it takes up a lot of time and resources to fight shit like that.

Reply
BigMeech November 14, 2012 at 8:44 am

If I got a 7 percent raise for working for a company that loses millions of dollars…….oh yeah that was Enron.

Reply
jimlewis,owb November 14, 2012 at 8:52 am

Stupid me.

I thought the biggest turds only rose to the top in septic tanks.

Reply
insider November 14, 2012 at 9:50 am

Drowning in your self-created cesspool must be a horrible fate. The little girl, only not so little anymore, brought it on herself.

Reply
drowning in this cesspool November 14, 2012 at 10:50 am

I noticed the “little girl” is becoming a bit rotund!

Reply
Hacked to a Nub November 14, 2012 at 10:17 am

The political appointee and the life-long bureaucrat at DOR are in a small lifeboat that is leaking air fast!! Maybe they can suggest adding a penny to the Sales Tax to pay for this mess. That seems to be the remedy for everything else!

Reply
hum_dinger November 14, 2012 at 11:59 am

hows that “smaller cheaper government” theory working out for you?

Reply
Joe November 14, 2012 at 1:24 pm

Good one there hum-dinger.

Reply
Brushjumper November 14, 2012 at 12:52 pm

Just a few items of importance here, OUR federal government and all its resource CANNOT stop hackers from across the world. Absolutely no ONE could have prevented this breach, although she should take responsibility and move to CLOSE some of the IT holes immediately.

I am more interested in JOBS and the Economy and Nikki’s effort in those areas.

Reply
hum_dinger November 14, 2012 at 1:22 pm

Cannot stop hackers?

Shoot, SC appears to have put up signs and advertized that we was ez pickins.

Using your logic, why try to secure data at all? We can all run around as one endemic mass that each of us has no single identity.

Is that what you want?

As long as a human is involved (specifically a politican), there is no two way key, and/or the data is connected to ‘the world’ – then ya, with enough determination someone can get in.

BUT – and please understand technology – intrusion techniques such as BRUTE FORCE *can* be detected.

This government is EPIC FAIL when it comes to technology.

go visit http://www.scdhec.gov – its been down since at least early this morning; most qualified webmasters will at least put up a “down for maintainence page” or “we are experiencing technical difficulties”

Nope – this is South Carolina – we do things different, darn it!
Who needs qualifications??!? You did, after all, elect Nikki….

Reply
Hacked to a Nub November 14, 2012 at 2:37 pm

Brushjumper, Unfortunately Nikki’s futile efforts to cover up the hacking and DOR’s lax security are better than her efforts to bring jobs and strengthen the economy in SC. The price tag on the hacking alone will ruin the economy of this state … unless you have over $340 million laying around.

But it is your right not to be interested.

Reply
anonymous October 26, 2013 at 12:48 am

NELSON MULLINS, IDENTITY THEFT, SOUTH CAROLINA, AND $100,000.00

Law firm (Nelson Mullins) tries to clear up confusion about how Experian deal reached

November 27, 2012

COLUMBIA — Thad Westbrook of Nelson Mullins, a law firm representing the state in the aftermath of a massive cyber breach now says NO competitors were contacted before the state reached a $12 million no-bid contract with Experian.

Attorney Jon Neiditz of Columbia firm Nelson Mullins said the confusion over whether the firm had contacted other credit monitoring companies resulted from an unclear statement made by another attorney, Thad Westbrook.

The Revenue Department reached an initial agreement with Experian just before the breach affecting millions of current and former S.C. taxpayers was first announced publicly on Oct. 26.

The confusion over whether Thad Westbrook of Nelson Mullins ever reached out to Experian competitors began at an Oct. 30 Senate Finance Committee hearing from comments from Nelson Mullins attorney Thad Wetbrook.

Revenue Department Director James Etter, who is resigning effective at the end of this year, correctly told senators that no other companies were contacted besides Experian.

But Nelson Mullins attorney Thad Westbrook immediately followed up and told senators that pricing was obtained from two other firms but Experian had the ability to scale up quickly in an emergency situation.

Weeks after the hearing, Revenue Department spokeswoman Samantha Cheek named the other two companies that Nelson Mullins had obtained estimates from as Citreas and Identity Force.

Obtaining pricing information from Experian competitors and examination did not include reaching out to them.

Neiditz said he had pre-existing pricing information from various cyber security companies and knew Experian could offer the best deal. The leaders of other firms have disputed that assessment.

Neiditz said Monday that Thad Westbrook’s statement during the hearing caused confusion.

“It wasn’t clear,” Neiditz said. “It led to the impression that other companies had been contacted….I mentioned those vendors to him.”

Some senators have expressed concerns about the state’s NO-BID contract with Experian.

Anderson GOP Sen. Kevin Bryant said it’s worrisome that no other companies were approached following the breach.

“This snowball just keeps getting bigger and bigger as time goes by,” Bryant is co-chairman of a new oversight panel tasked with looking into the cyber attack.

Normally, state contracts are struck following a request for proposals from various companies.

The law states “competition as is practicable SHALL be obtained.”

Neiditz recommended Experian to his firm, which then recommended Experian to the state. Nelson Mullins and their attorneys are being paid an estimated $100,000 for its work assisting the state.

…EXPERIAN and two competitors as Thad Westbrook and Cheek said, but NEVER contacted any of them before deciding on Experian.

Neiditz said he first contacted Experian on Oct. 23, three days before the breach was announced.

Etter had told senators during the hearing that Experian was first contacted on Oct. 25.

The Secret Service alerted state officials to the breach on Oct. 10.

“As a result, I don’t think that those business models received full consideration. Neither did other companies.”

The CEOs of Citreas and Identity Force said that their pricing would have been competitive with Experian and their services would have been superior in some ways.

Vendors likely would have been beating down the state’s doors and possibly could have provided a better deal…

Nelson Mullins and their attorneys are being paid an estimated $100,000.00

http://www.postandcourier.com/article/20121127/PC16/121129491/

Reply

Leave a Comment