Attackers Had Access for Months in South Carolina Data Breach

Attackers had two months of unfettered access to South Carolina’s Department of Revenue systems in a classic targeted attack that began with a phishing email and ended with the loss of electronic tax return data, and payment card and personal information on 3.8 million filers, possibly dating back to 1998.

Attackers had two months of unfettered access to South Carolina’s Department of Revenue systems in a classic targeted attack that began with a phishing email and ended with the loss of electronic tax return data, and payment card and personal information on 3.8 million filers, possibly dating back to 1998.

Governor Nikki Haley said her administration could have done more to prevent the breach, and that she had accepted the resignation of DOR director Jim Etter. Haley pointed in particular to the lack of two-factor authentication securing access to sensitive systems, and the lack of encryption on the Social Security numbers stolen in the attack. Like most executives, Haley admitted a false sense of security in that the state’s systems were compliant with Internal Revenue System standards that did not mandate encryption of Social Security numbers.

“When you combine 1970 equipment and the fact we were IRS compliant, that was a cocktail for an attack,” Haley said. “The IRS, which we were compliant with, does not believe that you have to encrypt Social Security numbers. Should we have done more? Yes, we should have done above and beyond what we did.”

Haley said an encryption deployment is under way and that she has contacted the IRS urging them to re-examine their stance on encryption. She said she has also contacted other state governors urging them to be proactive about the security of citizens’ data.

In the meantime, the state released a report on the attack prepared by forensics firm Mandiant, which was hired Oct. 12 to handle incident response.

Mandiant’s report said the attack initiated Aug. 13 when multiple DOR employees were sent a phishing email. One user clicked on embedded link and was infected with malware that stole the user’s credentials.

Two weeks later, the attack began when the hacker logged into a Citrix remote access service using the stolen credentials and began to pivot about numerous DOR systems and databases. By Sept. 1, the attacker had obtained user passwords on six servers and all Windows user accounts. They’d also dropped a backdoor on an unidentified server.

Within a matter of days, 38 servers had been accessed with the stolen credentials and reconnaissance activities performed, Mandiant said. On Sept. 12, database backup files were copied to a staging area and were eventually compressed into 14 7-zip archives that were copied to another server and then sent home before the zip archives were deleted.

The attackers then went dark until Oct. 17 when connectivity with the backdoor was checked. This was 10 days after law enforcement had notified the state of the breach. On Oct. 19, Mandiant said remediation began and the attackers’ access was cut off. But not before 44 systems had been compromised using 33 pieces of malware and malicious utilities including several password dumping tools, administrative utilities, Windows batch scripts, and utilities to execute commands against databases.

More than 74 GB of data were stolen, including 23 database backup files—a combination of encrypted and unencrypted data, Mandiant said.

“What you have to do as governor is step forward and come up with your own plans for equipment and compliance,” Haley said. “That means going above and beyond what people tell you is OK. That’s been the biggest lesson; during this time cyberattacks are going to happen. No one will ever again be 100 percent safe no matter what we do. What we can do is put so many layers in this process that it becomes awfully hard to get into.”

The governor said the state is paying for a year of credit monitoring for its citizens and offering $1M in insurance to residents to pay for breach-related costs. Haley said more than 800,000 calls and activations have been made for credit protection. More than 3.8 million electronic filers were compromised and another 1.9 million dependents listed on those returns. Haley said nearly 700,000 businesses were impacted. All 5,000 credit card numbers stolen in the attack have been expired, she said, as have some of the 3.3 million bank accounts impacted by the breach.

“Assume this information has gotten out there and take measures to protect yourself,” Haley said, adding that Etter’s resignation provides the state with an opportunity to reassess its data protection efforts.

“Jim and I came to an understanding that we need a new set of eyes on the DOR,” Haley sad. “When you have old equipment and compliance that’s old, put that together and this is what happened. We need a new set of eyes who will look at data in terms of security and get aggressive in terms of our tax policy. This was the time.”

Suggested articles