South Carolina Shows How Not To Do Security 123
CowboyRobot writes "Earlier this year, the state's Department of Revenue was storing 3.3 million bank account numbers, as well as 3.8 million tax returns containing Social Security numbers for 1.9 million children and other dependents, in an unencrypted format. After a state employee clicked on a malicious email link, an attacker was able to obtain copies of those records. It's easy to blame the breach on 'Russian hackers' but who is really to blame? 'The state's leadership, from the governor on down, failed to take information security seriously or to correctly gauge the financial risk involved. As a result, taxpayers will pay extra to clean up the mess. Beyond the $800,000 that the state will spend — and should have already spent — to improve its information security systems, $500,000 will go to the data breach investigation, $740,000 to notify consumers and businesses, $250,000 for legal and PR help, and $12 million for identity theft monitoring services.'"
$800,000 (Score:5, Interesting)
By a curious coincidence, $800,000 is exactly the same "cost of damages" that was levelled at Gary McKinnon for his amateurish computer escapades. ($800,000 being the "fix it" figure, not counting $13.5 million in other costs mentioned). So for Gary McKinnon, $800,000 in damages equals extradition and 60 years in prison. Will whoever was responsible for failing to implement a proper IS policy be expecting a similar visit from the Feds?
Of course not. Punishment is reserved for shifting blame onto others, not for disciplining people who do things wrong.
Re:Identity Theft Monitoring Services (Score:2, Interesting)
So $2 million to actually respond to and work on fixing the problem, and $12 million to snake oil. Brilliant.
I agree. Letting the victims freeze their credit for free would do it - actually EVERYONE should be able to do that for free!
But here's something else to consider: this wouldn't be a problem if businesses and Government were more responsible with personal information. If business and Government weren't so ignorant as to use the social security numbers as identifiers. If we had unlimited free credit reports from AnnualCreditReport.com - that's the FTC's website.
And it's not only folks who want to open up a line of credit. Another use of stolen SSNs are for illegal immigrants. They work under the stolen SSN - and if the employer did a background check it would pop up immediately; especially when that many of them use their own names. AND many times, they will file income taxes getting the victim's refund - if any.
And don't get started on what happens to the victim when someone uses their identity and gets arrested.
Government is way too confident with their computer systems and their accuracy.
This happens because of 'acceptable risk' (Score:5, Interesting)
I have seen this kind of thing justified by upper management more times than I can count. The problem is that upper management literally does a Fight Club style calculation that says the costs of data breaches will be less than the costs of security. They /expect/ to have computers routinely hacked and owned by people with malicious intent.
Until the values assigned to the cost of data breaches go up or unless you have some kind of law (HIPAA, SOX etc) this kind of thing will only continue. Public notification laws are one the best things that can be done to prevent this. It's not that the IT pros don't know better, are unwilling to follow best practices or don't care. The problem is that the IT pros that secure these environments aren't allowed to do their job.
When upper management thinks that computer management and security have no value and that security breaches cost less than security this kind of thing is inevitable.
Re:well IT needs a union / engineer like signoffs (Score:4, Interesting)
I am not sure about the union part but it absolutely should have engineer type signoffs. Just like other things require a certified engineer to sign off on something (with legal consequences) but also prevents businesses from just going ahead and doing stuff anyways.
However to go along with this would be the required education and certification to actually do the work to make sure the signoff is correct. I doubt that many people actually understand the work you have to do to become a certified engineer.
At the very least you should have to pass a test like the FE exam and later the PE exam if you want that signoff capability for IT. You should have to take appropriate courses also. You would also have to get the laws changed so that operations required that signoff.