Slashdot Mirror

← Back to Stories (view on slashdot.org)

South Carolina Shows How Not To Do Security

Posted by timothy on from the at-least-the-failure-was-spectacular dept.

CowboyRobot writes "Earlier this year, the state's Department of Revenue was storing 3.3 million bank account numbers, as well as 3.8 million tax returns containing Social Security numbers for 1.9 million children and other dependents, in an unencrypted format. After a state employee clicked on a malicious email link, an attacker was able to obtain copies of those records. It's easy to blame the breach on 'Russian hackers' but who is really to blame? 'The state's leadership, from the governor on down, failed to take information security seriously or to correctly gauge the financial risk involved. As a result, taxpayers will pay extra to clean up the mess. Beyond the $800,000 that the state will spend — and should have already spent — to improve its information security systems, $500,000 will go to the data breach investigation, $740,000 to notify consumers and businesses, $250,000 for legal and PR help, and $12 million for identity theft monitoring services.'"

4 of 123 comments (clear)

  1. Identity Theft Monitoring Services by Anonymous Coward · · Score: 5, Insightful

    So $2 million to actually respond to and work on fixing the problem, and $12 million to snake oil. Brilliant.

  2. $800,000 by Patch86 · · Score: 5, Interesting

    By a curious coincidence, $800,000 is exactly the same "cost of damages" that was levelled at Gary McKinnon for his amateurish computer escapades. ($800,000 being the "fix it" figure, not counting $13.5 million in other costs mentioned). So for Gary McKinnon, $800,000 in damages equals extradition and 60 years in prison. Will whoever was responsible for failing to implement a proper IS policy be expecting a similar visit from the Feds?

    Of course not. Punishment is reserved for shifting blame onto others, not for disciplining people who do things wrong.

    1. Re:$800,000 by wonkey_monkey · · Score: 5, Insightful

      Will whoever was responsible for failing to implement a proper IS policy be expecting a similar visit from the Feds?

      No, because gaining unauthorised access to a system and failing to do your job properly are two entirely different things.

      --
      systemd is Roko's Basilisk.
  3. The whole system is to blame. by Waffle+Iron · · Score: 5, Insightful

    Who's to blame? In good part it's every single company and organization in this country that tries to use people's SSNs as some kind of secret PIN or ID. It's not.

    It's a non-changing lifetime number that you have to hand over to just about every doctor's office receptionist, insurance agent, and offshored credit card phone lackey that you deal with. *Nothing* of value should depend on SSNs being kept private in any way, shape or form. You reveal this number to thousands of people over your lifetime, few of which you have any reason to trust.

    Lately, companies seem to try to address this issue by truncating the SSN to its last 4 digits, then treating that portion as both the secret PIN and the part that can be publicly shown. Sheer idiocy.