US media are reporting that a cyber thief has broken into South Carolina’s Department of Revenue and stolen the social security numbers of 3.6 million residents. Anyone who has filed a tax return since 1998 is now potentially at risk, and this accounts for a massive 77% of the state’s population.
The Department of Revenue has confirmed that it failed to encrypt the information (woops!). The discovery was made on the 10th October but officials waited over 2 weeks to inform the public. To make matters worse, on Friday the same department announced that it also suffered another cyber attack where 387,000 credit/debit card numbers were stolen. Although the majority was encrypted, there were over 16,000 that were not.
Investigators stated they delayed announcing these data breaches because they needed time to track down the culprit and assess the amount of data stolen. There’s often mixed opinions when it comes to how officials deal with the aftermath of a data breach. Lisa Vaas, writing for Sophos on the story, agreed that investigators should be given time to track down the culprits. I’m not so sure. What benefit does it provide the individual with? In this instance the Department of Revenue should have encrypted the social security numbers and those 16,000 credit/debit card numbers in the first place. After all this isn’t some dodgy website you’re entrusting your personal information to, it’s the government. Individuals have a right to know, and although this may compromise catching the criminal, the notion of the horse already bolting the stable springs to mind.
Commenting on the story the Governor of South Carolina said:” I want this person slammed against the wall. I want the man brutalized”. Pretty strong words! I’m sure Governor, that some of those people now checking their bank accounts might well be thinking the same about you!