Official TEKConn Blog

South Carolina governor blames outdated equipment, encryption standards for DOR hack

The governor of South Carolina blamed outdated equipment and encryption standards for a breach of the state Department of Revenue's network earlier this fall.

The governor of South Carolina blamed outdated equipment and encryption standards for a breach of the state Department of Revenue's network earlier this fall.

Last month we reported that South Carolina's Department of Revenue (DOR) was hacked, resulting in the private information of about 3.6 million taxpayers and dependents being pilfered. This information included social security, credit card and bank account numbers.

Last week, South Carolina Governor Nikki Haley held a news conference, during which she laid the blame at the doorstep of both the DOR and the Internal Revenue Service (IRS). Haley explained that the DOR was using 1970s-era computer equipment, and that the IRS does not require social security numbers to be encrypted. She went on to say that the state will now encrypt this data regardless of federal standards, but encouraged the IRS to update its requirements anyway.

How did the hackers penetrate the DOR system?

According to an ITworld article, security firm Mandiant identified how the culprit managed to gain access to the DOR network. Apparently, a department employee fell victim to an email phishing ploy, where a message appeared to be from a trusted sender. When opened, malware contained in the email allowed the net ne'er-do-well to steal the employee's username and password for the agency's remote access service.

From there, millions of South Carolina residents were victimized. However, in addition to individual citizens, nearly 700,000 businesses had private information compromised as well, the news source reports.

All it takes is for one person to be tricked by such a simple attack, and the ripple effect can impact millions of lives, including businesses of every size. Managed IT support is the best way for smaller organizations with limited IT resources to ensure every employee is trained on security best practices. It's also the most efficient method of monitoring small business networks and detecting breaches before they can wreak serious havoc.