I've told you before about the massive data breach of the computers of the South Carolina Department of Revenue that resulted in the stealing of databases containing the Social Security numbers, credit card and bank account information of 3.8 million taxpayers and some 700,000 businesses who filed state tax returns electronically. I find the ongoing recriminations, finger pointing, head rolling, excuses being given and other fallout from the incident simply fascinating.
Naturally, one major question has been: how did it happen? The state hired Mandiant, a highly regarded information security company, both to try to determine how it happened and exactly what data has been compromised.
As to the how, Mandiant thinks it knows the answer. It's dismayingly simple — a state employee clicked on a "phishing" email.
Mandiant's Public Incident Response Report, released last week says:
"A malicious (phishing) email was sent to multiple Department of Revenue employees. At least one Department of Revenue user clicked on the embedded link, unwittingly executed malware, and became compromised. The malware likely stole the user's username and password."
The phony email was responded to on August 13, and two weeks later the hacker logged onto the user's workstation and through it onto the State's computer system. Then, for more than two months he, she or they roamed freely through multiple South Carolina computer systems and databases.
What happened over these two month of undetected access is almost a textbook example of what a hacker with enough ability can do. According to the report:
- Thirty-nine systems were accessed by the "attacker" who used at least 33 unique pieces of malicious software and utilities to perform the attack and data theft.
- The attacker installed a "back door" to allow continual access to one system.
- The attacker stole at least 8.2 gigabytes of compressed databases and files from three systems (including the taxpayer database).
- One system was used to send data out to the attacker.
- The attacker executed a utility to obtain user account passwords for all Windows user accounts.
The amount of data that was stolen in this malicious attack is being called the biggest ever. Some in the state seem to take a perverse pride in this fact. But I'm afraid the South Carolina breach is far, very far, from the largest.
Police in Greece have arrested a computer programmer for allegedly stealing the identity information of most of the country's population. The thief was found in possession of "nine million data files containing identification card data, addresses, tax ID numbers and license plate numbers", and he was found to be attempting to sell this information.
Whether he hacked databases to get this information, or had an accomplice in government, is still unclear say authorities.
The last Greek census, in 2011, puts the population at 10,787,690. So nine million individual files would seem to mean that more than 83 percent of Greeks have had their personal information stolen. But wait, the police say, many of the files contained duplicative information, so the number of individuals exposed is certainly much fewer than nine million.
But nine million files easily trumps South Carolina's 3.8 million.