One week ago, one of the worst instances of cyber-crime in US history was revealed to the good people of South Carolina. This story has been developing rapidly over the last seven days, but here is what we know so far:
- 3.6 Million social security numbers and 387,000 bank debit card numbers were stolen
- 3.6 Million social security numbers and 16,000 debit card numbers were completely unencrypted
- There were five intrusions from late August to mid-October
- The state didn’t know about any of this until October 10 (at least) when it was detected by the Secret Service
- The state didn’t tell anybody about this until October 26
- State employee credentials were used during the attack. (1 out of the 250 employee accounts)
- Although denied initially, it was revealed that nearly 650,000 businesses also had compromised tax returns
- Hackers got access to “potentially anything on a tax return.”
Throughout this week, Governor Nikki Haley has made several statements and held press conferences to detail what happened and the steps the state is taking to respond. During those conferences, the Governor has repeatedly made statements that are simply not true. Most of these revolve around one central theme: These things just happen, nothing could have been done to prevent this breach.
As a person who is involved in both politics and in computer engineering, I see this stance as patently absurd. I don’t know Haley’s motives in saying these things, or if she’s simply trying to translate what she’s heard from technical experts into something that can be digested by the public, but there’s no nice way to say it: she’s wrong.
First off, let’s look at the political side of this. Why does the state have so much of our personal information in the first place? Aren’t we afforded privacy protection against the state by our natural rights, and by our Constitution? The answer is obvious: the income tax. In order to run a state-wide income tax administration, the state government must collect personal information from each taxpayer, including our social security number, address, family information, etc. One shockingly simple way that this hack could have been prevented is if the state would have implemented a consumption-based taxing scheme.
With a consumption based tax system, the government doesn’t have to collect private information from each citizen, and we don’t have to fill out tax return forms that detail our every activity and strip us of all of our privacy. Instead, we would simply pay a sales tax at the point of sale, which would be anonymous. It still isn’t a perfect world, but at least the government would respect a little bit more of our rights, and we wouldn’t have to rely on them to keep our information safe. In fact, here in South Carolina, we could eliminate the business income tax and the personal income tax, and keep the current sales tax at the same level, simply by eliminating the sales tax exemptions. Imagine the money that would have been saved at the SC DOR, not having to keep track of, or keep secure, all of those tax records. But I guess that would have been too easy.
So now onto the harder part, the technical stuff. There are several obvious reasons Haley’s assertion of “nothing could be done” is just plain wrong:
- Encryption of sensitive information is simply standard practice in the IT world. Encryption wouldn’t have prevented the hackers from getting into the network, but it would have meant that all of the information they stole would have been entirely useless to them. Most modern encryption schemes aren’t “hack proof,” but they are so complex that unauthorized decryption would take millions of years. Also, while not an “easy” thing to do, an experienced computer design team could quickly develop an encryption scheme for the data, and you can even find some that are pre-developed with a quick Google search.
- The state of South Carolina already has enhanced network monitoring, but the SC DOR refused to participate in the program.
- There is absolutely no reason for 250 people to have login credentials that provide them the level of access that would allow this kind of theft. Pretty much every information system out there today is designed with an architecture that provides data storage separately from the user interface. People who enter data into the system should only have restricted access to this interface, and anyone who is able to run a report that shows multiple records should require enhanced access. Finally, there should be absolutely no way for a user to get file level access and simply copy all of the information.
- The network where this information resides should absolutely not be accessible from the open internet. Any Cisco CCNA or other network architect can tell you that sensitive information needs to be segmented away and cut off from the outside world as much as possible. If a Virtual Private Network connection was used, then the question is: does the SC DOR need remote access to such private information? I think not.
- Finally, the recent revelation that “anything that would be on a tax return” is potentially compromised, combined with the announcement that businesses had their tax returns stolen, leads me to believe that the hackers may not have stolen information from a database, but might have actually gotten digital scans of personal (and business) tax returns. I have no confirmation of this, but if true, it means that the hackers don’t only know identifying information, but they know detailed personal behavior and property ownership information. If you are a small-business person that files your business taxes on your personal return, then they know how you operate your business, what suppliers you spend your money with, what all of your expenses are, etc. Long story short: it is unthinkable that these files would just be sitting around on a network for any of 250 people to grab, not to mention hackers. If the state needs to scan these documents in for data entry and/or archiving, then they should be immediately stored in encrypted, password protected archives.
Tom Utley is the Vice Chairman of the Republican Liberty Caucus of South Carolina. Tom was born in Bluffton, SC and studied Computer Engineering at Clemson University. Tom currently lives in Summerville, SC and works for a Computer Software and Services company in Charleston, SC.