funsec mailing list archives
South Carolina Taxpayer Data Breach Report Shows Protections Inadequate, Attorney Says
From: Jeffrey Walton <noloader () gmail com>
Date: Wed, 5 Dec 2012 17:53:36 -0500
Interesting facts from this breach. I suppose its because a state was involved, and not a corporation that could bury the facts and then claim an "APT" got them. Disappointing statements: "[South Carolina] were IRS-compliant" and "Governor Calls on IRS to Require Encryption." http://www.bna.com/south-carolina-taxpayer-n17179871241/ A recently released report analyzing a cyber-attack on the South Carolina Department of Revenue's database demonstrates the inadequacy of taxpayer protection efforts by state agencies and officials, a lawyer who filed a lawsuit over the issue told BNA Nov. 26. ... According to Mandiant's report, released Nov. 20, the attack appeared to have begun through a phishing email sent to multiple Department of Revenue employees. At least one agency employee clicked on a link embedded in the email, which likely executed malware that stole the worker's user name and password, the company said in its report. Those credentials were later used to access other agency systems and databases and install malicious software. A total of 44 systems were compromised by the attacker, and at least 33 pieces of malicious software and utilities were used to perform the attack and steal data, the report found. ... According to Haley, the investigation determined that the Social Security information of 3.8 million taxpayers, information belonging to 699,900 businesses, 3.3 million bank accounts, and 5,000 credit cards were compromised through the attack. The attack only impacted filers of electronic returns, and all affected taxpayers have been identified and will be notified, the governor said. Haley said the state's use of “1970 equipment, combined with the fact that we were IRS-compliant” was “a cocktail for an attack.” According to the governor, “every state needs to be looking at this.” ... _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Current thread:
- South Carolina Taxpayer Data Breach Report Shows Protections Inadequate, Attorney Says Jeffrey Walton (Dec 05)