Ride the Lightning

Cybersecurity and Future of Law Practice Blog
by Sharon D. Nelson Esq., President of Sensei Enterprises, Inc.

South Carolina's Massive Data Breach – "Encryption is Complicated"

November 6, 2012

More than 75% of South Carolina’s residents had their social security, credit card numbers and other personally identifiable information breached. News of the breach came in October, though it actually began in August. Who uncovered the breach? Usually it is the FBI, but this time it was the Secret Service that notified S.C. on October 10th.

How did the breach happen? Someone, as yet unknown, stole legitimate credentials from one of the 250 state employees with access to the South Carolina Department of Revenue (DOR) database.

Why was the attack so easy? Because (pulling our hair out here) the data was not encrypted. While this was horrific enough, the statements by S.C. governor Nikki Haley may have been more alarming. With 3.6 million of her citizens affected, Haley was in full defensive posture, saying that encryption was “complicated and cumbersome technology.”

This is a Governor in need of some education.

She also said “The industry standard is that most Social Security numbers are not encrypted. A lot of banks don’t encrypt. A lot of those (government) agencies you might think encrypt Social Security numbers actually don’t . . . It’s not just that this was a DOR situation, but an industry situation.”

Really – banks don't encrypt? I'd like her to name one.

Industry expert Adrian Lane, the CTO of Securosis has said, accurately: “In most cases, encryption or other forms of obfuscation (masking, tokenization) can be done transparently to business operations and at a reasonable cost. It need not be complicated – but you have to actually invest some time and money to get it done, and that’s how most states fail.”

The attackers have already used the data for identity theft and state sponsored attacks against manufacturers, the defense industry and other government agencies.

"From a state point of view, this is kind of the mother of all data breaches thus far,” said Larry Ponemon, chairman of The Ponemon Institute, which researches privacy and data protection.

In spite of her assertion that encryption is complicated and cumbersome, Haley says S.C. is now considering it. A bit late for South Carolina's citizens who have had their data compromised.

E-mail: Phone: 703-359-0700

www.senseient.com

http://twitter.com/sharonnelsonesq

Sharon D. Nelson, Esq.
President

Subscribe in a Reader

Cookie	Duration	Description
cookielawinfo-checbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Ride the Lightning

South Carolina's Massive Data Breach – "Encryption is Complicated"

Subscribe for More!

Recent Posts

Listen to the Podcast

Disclaimer