Stolen Password Led to South Carolina Tax Breach Timeline Shows When and How Hacker Entered State Tax System

A stolen state employee password allowed a hacker to breach the South Carolina tax system earlier this year, resulting in the exposure of records of more than 3.8 million individual and 700,000 business tax filers [see South Carolina Revenue Department Breached].

See Also: How to Anticipate Breaches & Prevent Data Loss: Avoiding the Fate of OPM

Gov. Nikki Haley on Nov. 20 issued a report from the IT security firm Mandiant, which the state hired to investigate the breach, that says the hacker obtained the password when an employee of the Department of Revenue opened an e-mail containing malicious computer code on Aug. 13 [see complete timeline of the breach below].

"Could South Carolina have done a better job? Absolutely, or we would not be standing here," Haley said at a press conference.

The tax records exposed were those electronically filed since 2002, although some records as far back as 1998 were exposed. The hacker also pilfered 3.3 million unencrypted bank account numbers and 5,000 expired credit card numbers. In addition, the breach also exposed personally identifiable information of some 1.9 million dependents. The state will notify those whose data were breached by mail. The state is paying $12 million in identity protection services for taxpayers.

The report cited two basic security flaws: the failure of state workers to use multiple passwords to obtain sensitive data and the failure by the state to encrypt sensitive tax data. Haley blamed the breach on a combination of 1970s technology and the state's reliance on Internal Revenue Service guidance that she said does not require the encryption of Social Security numbers, creating what the governor dubbed a "cocktail of an attack."

Effectiveness of IRS Guidance Questioned

Haley sent a letter to IRS Acting Commissioner Steven Miller, calling on the federal service to require all states to have stronger security measures for handling tax information, particularly encryption of tax data that are stored or at rest. Citing IRS Publication 1075: Tax Information Security Guidelines for Federal, State and Local Agencies, Haley wrote that the guidance does not unequivocally require states to encrypt tax data. "What is even more troubling is that it appears that federal agencies, including the IRS, may also not be required to encrypt stored federal tax information," Haley said.

In response to an e-mail inquiry from Information Security Media Group, the IRS didn't explicitly explain its policies and processes regarding the encryption of taxpayer information. "We have many different systems with a variety of safeguards -- including encryption -- to protect taxpayer data," spokesperson Michelle Eldridge said. "The IRS has in a place a robust cybersecurity of technology, people and processes to monitor IRS systems and networks.

"We work closely with the states to ensure the protection of federal tax data. We have a long list of requirements for states to handle and protect federal tax information. Just as importantly, we expect the states to follow the standards of the National Institute of Standards and Technology."

The governor said the state would acquire new equipment and develop its own security standards.

"The one thing they've continued to tell me over and over is no one will ever again be 100 percent safe, no matter how much we do," Haley said. "But what we can do is put so many layers in this process that it is awfully hard to get into."

Changes to the tax system will be done with a new leader at the Department of Revenue. Haley announced the resignation of Jim Etter as director effective Dec. 31 to be replaced by Bill Blume, executive director of the South Carolina Public Employee Benefit Authority.

The Mandiant Report

And that process begins with the Mandiant report, which revealed the attacker compromised 44 systems, used 33 pieces of malicious software and utilities to perform the attack and data theft, remotely accessed Revenue Department servers using at least four IP addresses and employed at least four valid department user accounts during the attack.

Mandiant provided a timeline of events surrounding the breach:

    Aug. 13: A malicious e-mail was sent to multiple Department of Revenue employees. At least one user clicked on the embedded link, unwittingly executed malware and became compromised. The malware likely stole the user's username and password.

    Aug. 27: The attacker logged into a Citrix remote access service using legitimate user credentials. The attacker used the Citrix portal to log into the user's workstation and then leveraged the user's access rights to access other departmental systems and databases with the user's credentials.

    Aug. 29: The attacker executed utilities designed to obtain user account passwords on six servers.

    Sept. 1: The attacker executed a utility to obtain user account passwords for all Windows user accounts. The attacker also installed backdoor malicious software on one server.

    Sept. 2: The attacker interacted with 21 servers using a compromised account and performed reconnaissance activities. The attacker also authenticated to a web server that handled payment maintenance information for the Revenue Department, but was not able to accomplish anything malicious.

    Sept. 3: The attacker interacted with eight servers using a compromised account and performed reconnaissance activities. The attacker again authenticated to a web server that handled payment maintenance information for the Revenue Department, but was not able to accomplish anything malicious.

    Sept. 4: The attacker interacted with six systems using a compromised account and performed reconnaissance activities.

    Sept. 5-10: No evidence of attacker activity was identified.

    Sept. 11: The attacker interacted with three systems using a compromised account and performed reconnaissance activities.

    Sept. 12: The attacker copied database backup files to a staging directory.

    Sept. 13 and 14: The attacker compressed the database backup files into 14 encrypted 7-zip1 archives. The attacker then moved the 7-zip archives from the database server to another server and sent the data to a system on the Internet. The attacker then deleted the backup files and 7-zip archives.

    Sept. 15: The attacker interacted with 10 systems using a compromised account and performed reconnaissance activities.

    Sept. 16-Oct. 16: No evidence of attacker activity was identified.

    Oct. 17: The attacker checked connectivity to a server using the backdoor previously installed on Sept. 1. No evidence of additional activity was discovered.

    Oct. 19 and 20: The Department of Revenue executed remediation activities based on short-term recommendations provided by Mandiant. The intent of the remediation activities was to remove the attacker's access to the environment and detect a re-compromise.

    Oct. 21-present: No evidence of related malicious activity post-remediation has been discovered.

Mandiant said it has developed a plan to implement intermediate- and longer-term recommendations to enhance the department's security against future compromise. Those longer term recommendations are in the process of being implemented.


About the Author

Eric Chabrow

Eric Chabrow

Executive Editor, GovInfoSecurity & InfoRiskToday

Chabrow, who oversees ISMG's GovInfoSecurity and InfoRiskToday, is a veteran multimedia journalist who has covered information technology, government and business. He's the former top editor at the award-winning business journal CIO Insight and a long-time editor and writer at InformationWeek.





Around the Network