07 November 2012

SSN

A million here, a million there ... they soon add up.

The NY Times reports that "theft of tax information from a South Carolina computer system appears to have been the largest cyberattack ever on a state government and has put other states on high alert". 
The state announced late last month that an international hacker had stolen 3.6 million Social Security numbers and 387,000 credit and debit card numbers. Now tax departments across the country are inspecting their own security systems. “When one employee’s laptop gets stolen, it’s a big deal,” said Verenda Smith, the deputy director of the National Federation of Tax Administrators. “So you can imagine the reverberations when this news came out.” Since 2005, at least 11 state tax agencies have faced security breaches, according to the Privacy Rights Clearinghouse, a consumer rights group. But most were caused by internal accidents, not attacks, and none were on this scale. ...
The hacking has raised questions about whether South Carolina was unprotected or simply unlucky. Most of the stolen credit cards were encrypted, but the Social Security numbers were not. The computer system that was hacked did not have a free layer of security monitoring offered to all South Carolina agencies, according to the State Budget and Control Board.
In a lawsuit filed last Wednesday, a former state senator, John Hawkins, said the state had failed to protect taxpayers and had not reported the attack promptly. The tax agency detected the attack on Oct. 10 and, after notifying federal authorities, alerted the public on Oct. 26.
“Obviously these hackers picked South Carolina because it was vulnerable,” Mr. Hawkins said. “I equate it to a burglar going into a neighborhood. He’s going to break into the house with no alarms and the door open.”
The Times notes that Social Security records for 3.5 million people were inadvertently disclosed on a Texas state government computer server. In Georgia in 2007 a disk containing personal information on 2.9 million people went AWOL. I've elsewhere noted the exposure by  the federal Veterans Affairs Department in 2006 of records regarding 26.5 million people.
 Gov. Nikki R. Haley said that South Carolina had a state-of-the-art security system but that the hacker nevertheless found a way around it. Her office said on Friday that it was encrypting all tax files to reduce the harm if any were stolen, and that the process would be completed within 90 days. The state is paying up to $12 million to provide a free year of credit monitoring and identity theft prevention to anyone affected. Last Wednesday, the state disclosed that tax records for 657,000 businesses had also been hacked. Anyone who has filed a tax return since 1998 has been urged to contact state law enforcement officials. By last Thursday, 653,000 people had called the state’s emergency hot line, and 521,000 had signed up for identity protection.
In Australia the latest revelation of a data breach has been more prosaic, with the SMH reporting that  a security flaw - one that's readily forseeable - exposed up to 500 Dodo Power & Gas customer statements (inc customer names, addresses, power usage details and account numbers) on Dodo's website on Friday.
The flaw was revealed when a Dodo customer contacted Fairfax to say she was able to change the randomly generated eight-digit number of her statement's URL on the Dodo Power & Gas website to another, similar one to see other customers' statements. 
Dodo chief Larry Kestelman says the company will investigate the security breach. 
News Limited has reported similar flaws at Australia Post, which allowed customers of the postal service to see the names, addresses, businesses, email addresses, landline and mobile numbers of Australia Post recipients by manipulating an Australia Post web portal's URL. 
Dodo chief executive Larry Kestelman said Dodo regretted there was an "IT issue" that had caused a "small number of customer statements to be exposed". He said the problem had been fixed and Dodo would conduct an investigation to understand what caused the problem and how to stop it from happening again.