South Carolina Shows How Not To Do Security

CowboyRobot writes "Earlier this year, the state's Department of Revenue was storing 3.3 million bank account numbers, as well as 3.8 million tax returns containing Social Security numbers for 1.9 million children and other dependents, in an unencrypted format. After a state employee clicked on a malicious email link, an attacker was able to obtain copies of those records. It's easy to blame the breach on 'Russian hackers' but who is really to blame? 'The state's leadership, from the governor on down, failed to take information security seriously or to correctly gauge the financial risk involved. As a result, taxpayers will pay extra to clean up the mess. Beyond the $800,000 that the state will spend — and should have already spent — to improve its information security systems, $500,000 will go to the data breach investigation, $740,000 to notify consumers and businesses, $250,000 for legal and PR help, and $12 million for identity theft monitoring services.'"

Identity Theft Monitoring Services

[Anonymous Coward]

So $2 million to actually respond to and work on fixing the problem, and $12 million to snake oil. Brilliant.

amateurs

[ruir]

The point is exactly this, many organizations just keep their data in any convenient format, even it is excel spreadsheets. This are one of the things it is hard to understand, if you want work well done, you call a plumber, and electrician, and they have to be certified, and many years of experience, references, whatever more. And then when it comes to sensitive data that can mean to put people in peril of theft identity, people do it by themselves, or just hire a nobody to do it. ...

A General Rule

[mbone]

I generally find it safe to assume that State of South Carolina does not show the way on how to do anything.

The whole system is to blame.

[Waffle Iron]

Who's to blame? In good part it's every single company and organization in this country that tries to use people's SSNs as some kind of secret PIN or ID. It's not.

It's a non-changing lifetime number that you have to hand over to just about every doctor's office receptionist, insurance agent, and offshored credit card phone lackey that you deal with. *Nothing* of value should depend on SSNs being kept private in any way, shape or form. You reveal this number to thousands of people over your lifetime, few of which you have any reason to trust.

Lately, companies seem to try to address this issue by truncating the SSN to its last 4 digits, then treating that portion as both the secret PIN and the part that can be publicly shown. Sheer idiocy.

don't secure it, take it away

[iggymanz]

there is no reason most govenment employees need a pc connected to the internet. they should be using the equivalent of a dumb terminal that can only access relevant apps running on a server. instead, government employees use their pc as entertainment device. past time to take away their toys and give them a one-use tool

Re:What primary key for person?

[sribe]

What public identifier of a unique person should insurers and lenders use to make sure that one person doesn't try to fraudulently establish two distinct customer histories by pretending to be two people?

At least in the U.S., there is none. But pretending that the SSN is one does not make it so.

Re:$800,000

[Anonymous Coward]

Of course not. Punishment is reserved for shifting blame onto others, not for disciplining people who do things wrong.

Of course not. Punishment is reserved for the serfs, not for disciplining the Lords who make up the rules on the fly.

FTFY

Re:don't secure it, take it away

[Bearhouse]

This is modded insightful? There are plenty of reasons why a Gov.employee should be able to access the internet from their work device(s). Would be better to say that 1. Such access should be better protected and, 2. internal systems should be isolated from anything that (inevitably) slipped through

Re:Publish Social Security Numbers

[CodeBuster]

it would be incumbent on the financial institutions to NOT use it as their primary means of ID for purposes of granting credit.

The laws must be changed to say that a Social Security number, by itself, proves nothing. It should not prove that a debt exists or that any other legally binding agreement was entered into by anyone. As long as businesses can get away with using the SSN as both an identifier and an authentication, which is how this whole "identity theft" nonsense got started in the first place, they will continue to do so. Therefore, the only viable solution is to render the Social Security Number legally worthless as proof of anything. They ought to be just numbers, nothing more.

Re:What primary key for person?

[ShanghaiBill]

What public identifier of a unique person should insurers and lenders use to make sure that one person doesn't try to fraudulently establish two distinct customer histories by pretending to be two people?

Easy answer: SSNs. There is nothing wrong with using SSNs for identification . The problem is that we pretend like they are some sort of secret, and use them as authentication . That is stupid and it should be illegal for an financial institution to use them that way. People should be free to hand out their SSN, or even paint it on their mailbox, without fear of any consequences. We should just assume they are public knowledge.

Re:$800,000

[wonkey_monkey]

Will whoever was responsible for failing to implement a proper IS policy be expecting a similar visit from the Feds?

No, because gaining unauthorised access to a system and failing to do your job properly are two entirely different things.

Re:well IT needs a union / engineer like signoffs

[Jawnn]

I'd love to spend my mod points on you, brother, but your sage words deserve more....

I am not sure about the union part but it absolutely should have engineer type signoffs.

Most engineers in charge of building things that can hurt people of those things fail are required to prove their expertise and conform to both a professional code of conduct and civil codes that define a framework within which the engineer's must be done. Information technology has no such thing, and as others have already observed, this allows bean-counters, PHB's, and frankly, IT "engineers" who lack the requisite expertise, to put systems in place that have nowhere near the proper level of security measures around those systems. We've seen a few attempts from various sectors (HIPAA, PCI, SOX) to force some standards and accountability on entities in those sectors, but it's a patchwork of bureaucratic noise that, most often, doesn't result in the desired level of security. The one partial exception is PCI. If you are a vendor large enough to fall into the "Level 1" category, your stuff must be reviewed regularly by a third party. That rule is enforced by the banks, whose money is at risk. They really don't give a rat's ass about card-holders.
And that is the problem. The SC Dept. of Revenue didn't have enough skin in the game to give a shit about, so they didn't. That needs to change. If you're going to build things that can hurt people when they fail, be those things skyscrapers, bridges, airplanes, or information security systems, you should have to prove that you know what you are doing and have your work reviewed by someone else who knows what they're doing.