The main stream news (NYTimes, Forbes) has covered the recent data breach in South Carolina’s Department of Revenue without really placing the blame anyone who’s responsible for this mess. It’s so bad, let’s not even call this a mess. Let’s instead call it what it is – a catastrophe for personal data for South Carolina residents.
Current state population 4.6 million. Exposed records 3.6 million.
The scale of the data breach is unbelievable. Governor Nikki Haley stated that they were attacked by an “international hacker”, based upon the IP address in log files. She, as well as various law enforcement officials go on to stress bringing this person to justice, and they collectively sat on this information for roughly two weeks to reach certain benchmarks. This press conference could easily be the scene in any hacker movie from the last couple of decades, with officials bumbling along, making statements that they don’t understand.
Some items that caught my ear and I can’t accept:
- Governor Haley stated that all all of the holes have been plugged. Given that you didn’t know anyone in any IT department below the CTO level only a couple of weeks ago, how can you make that claim? Better yet, how can you not encrypt 3.6 million social security numbers in a database? How can 16,000 credit cards not be encrypted? This breaks basic PCI-DSS compliance.
- Governor Haley said that she wanted the hacker “slammed against the wall”. I’m guessing that she’s not aware that this will be a 15 year old bored kid in Russia. Good luck with that. The real people that should be slammed against the wall are those who signed off on leaving data unencrypted. Take everyone who’s ever touched that data architecture and fire them immediately. These people are your past, present, and future security holes.
- The Governor seemed satisfied that the state is offering identity monitoring. Sorry, the cat’s out of the bag. You can’t get the social security or credit card numbers back. In the case of 3.6 million social security numbers – those won’t change, and residents will have related problems for years to come.
If we as a people continue to let those with the blatant disgard for security and standards to escape without penalty then breaches like this will never slow down. I don’t care if it’s the programmer, database admin, project manager, or the CTO – hold those involved responsible. We all have the duty to stand up for protecting the data of our users.