South Carolina governor Nikki Haley said a mouthful this week when she spilled a dirty industry secret that Social Security numbers are generally not encrypted by state agencies. Reeling from a Department of Revenue data breach that leaked 3.6 million Social Security and credit card numbers as well as other personally identifiable information for more than three-fourths of the state’s residents, Haley called encryption complicated and cumbersome technology.
“The industry standard is that most Social Security numbers are not encrypted. A lot of banks don’t encrypt. A lot of those (government) agencies you might think encrypt Social Security numbers actually don’t,” Haley said during a press conference this week. “It’s not just that this was a DOR situation, but an industry situation.”
While Haley may be correct that most agencies don’t deploy encryption, there are other data protection technologies that could help keep personal data away from hackers. Encryption, meanwhile, is a go-to technology in environments governed by the PCI-DSS standard as well as data breach notification laws which do not mandate public disclosure if lost data is encrypted.
South Carolina residents, meanwhile, are under the gun for identity theft and a host of other potential financial issues related to the breach. Greenville Online reports today that the breach includes some businesses and that the attack was pulled off using legitimate credentials stolen from one of 250 state employees with access to the DOR database in question.
DOR director Jim Etter said that state identity numbers used for businesses were also stolen along with 3.6 million Social Security numbers and 387,000 credit card numbers; 16,000 of those credit card numbers were not encrypted. The breach began in late August and the Secret Service notified the state on Oct. 10 of the incident.
Attackers, meanwhile, have been making great use of stolen credentials, not only for identity theft scams, but in higher level, state-sponsored attacks against manufacturers, the defense industrial base and other government agencies.
“Within local and state governments, most don’t encrypt SSN numbers. That’s why we are seeing record numbers of SSNs be stolen in 2012,” said Adrian Lane, analyst and CTO at Securosis. “But with most other industries –and specifically banks — they do encrypt PII to protect their customers and their own businesses.”
Prior to the South Carolina breach, 18 breaches in October alone involved tens of thousands of compromised Social Security numbers, according to the Privacy Rights Clearinghouse and the Data Loss Database.
“In most cases, encryption or other forms of obfuscation (masking, tokenization) can be done transparently to business operations, and at a reasonable cost,” Lane said. “It need not be complicated — but you have to actually invest some time and money to get it done, and that’s how most states fail.”
Governor Haley, meanwhile, said her state is now evaluating encryption as an option, looking at cost and implementation timelines, she said.
“When something like this happens, it forces a whole new conversation,” she said. “This is a situation where a sophisticated, intelligent criminal got into a database and it’s unbelievably creative how they did it. And now we have to deal with it.”
In the meantime, the state is paying for a year of real-time credit monitoring for anyone who signs up, and offering $1 million in insurance to residents to help pay for any breach-related investigation costs.
Sam Curry, CTO of RSA Security’s identity theft and data protection business unit, said any organization must properly assess risks in conjunction with current threats, determine targets and then think about compensating controls such as encryption and tokenization.
“The tools are advanced enough now that if you do your risk assessments correctly and then downstream reduce the places where PII exists, you can then put controls in place with the right processes around them,” Curry said.
Curry added that organizations cannot underestimate the importance of intelligence gathering about threats and systems in place on a network, as well as a proper investment in incident response.
“I’m always leery of people who say ‘If we only had X…’ Well if you only had X, the bad guys would have attacked Y,” Curry said. “I care more about processes and approaches versus which widget you’ve bought.”