dslreports logo
 
    All Forums Hot Topics Gallery
spc
Search similar:


uniqs
4107
ke4pym
Premium Member
join:2004-07-24
Charlotte, NC

1 recommendation

ke4pym

Premium Member

Millions of South Carolinians' social security #'s stolen

387,000 credit and debit card numbers and 3.6 million social security numbers, all unencrypted, have been exposed.

»www.wbtv.com/story/19926 ··· s-hacker

»tinyurl.com/9a9e8nc

EGeezer
Premium Member
join:2002-08-04
Midwest

EGeezer

Premium Member

Thanks for the article! I've forwarded it to our kids in South Carolina.

Looks like SC is stepping up to help those affected -
said by article :

If you have paid taxes in the state of South Carolina, you are urged call 1-866-578-5422 to get an activation code to use here: www.protectmyid.com/scdor to see if your information has been compromised. If so, the state will provide a year of identity-theft protection and credit monitoring free of charge.


Snowy
Lock him up!!!
Premium Member
join:2003-04-05
Kailua, HI

Snowy to ke4pym

Premium Member

to ke4pym
"This is not a good day for South Carolina," said Governor Nikki Haley. "South Carolina has come under attack by an international hacker."
The Govenor has been watching too many movies.

Haley said she knows where the attack came from, but would not reveal the location of the hacker so the investigation would not be put in jeopardy. "I want this person slammed against the wall," said Haley. "I want that man just brutalized."

Does she moonlight for the MPIAA?
Guilt by IP is less accurate than guilt by Ouija board or crystal ball because criminals, or "international hackers" do not expose their IP's, they use multiple hops across different national borders with at least one of the hops being in the middle of a rice field in N. Korea.
Now if it's some kid working out of his parents garage in Ohio they may have a shot at him (not a literal shot...I hope) point being that if it is an experienced international hacker they have as much chance of catching him by IP as I do of buying out Microsoft with cash.
ps the issue I have with statements such as "International Hacker" is that it carries a message that says the hack was unpreventable or only done with extraordinary hacking skills when that is simply never true (excluding Stuxnet etc... this was NOT a Stuxnet type of sophistication).
If they can't own up to being sloppy where's the motivation to getting it right?

Uncle Paul
join:2003-02-04
USA

Uncle Paul to ke4pym

Member

to ke4pym
»www.greenvilleonline.com ··· _check=1

Snowy
Lock him up!!!
Premium Member
join:2003-04-05
Kailua, HI

Snowy

Premium Member

"“It’s been my experience that your information security system is only a function of how bad somebody wants to look at it. I can assure you, if somebody wants to get into your system, they can get into your system. The question is how much time, energy and commitment they have and how hard are you going to make it for them to minimize that risk. There is no risk-less system.”
BINGO!
That's it, right there.
Extrapolate that to the S.Carolina incident & it should be obvious that no "International Hacker" is going to spend an unprecedented amount of time/resources into hacking a S.Carolina data base.
No offense intended, but it's hardly worth that level of attention, IMO, which only leaves a more simple attack, even an automated attack.
nonymous (banned)
join:2003-09-08
Glendale, AZ

nonymous (banned)

Member

The attacker is international you know they can not be stopped. However, as the governor said they can be easily traced to their coffeshop then brutalized by South Carolina's overseas agents.

Absolutely there is no way to separate personal data and CC SSN from the front facing webservers that is just impossible. That international cafe hacker just has too many resources. SARCASM
They left some data unencrypted maybe some CC and the SSN. Plus left web access open.
nonymous

nonymous (banned) to Snowy

Member

to Snowy
said by Snowy:

That's it, right there.
Extrapolate that to the S.Carolina incident & it should be obvious that no "International Hacker" is going to spend an unprecedented amount of time/resources into hacking a S.Carolina data base.

Unless by the quick look over the site some possible flaws where found which makes attack more tempting. Bad security design, outdated setup that has been successfully attacked before. Maybe something caught a potential hackers eye as less than secure so an easier target worthwhile for personal effort.
Now if it was just all automated than still most likely bad design or did not patch a known security hole.

Uncle Paul
join:2003-02-04
USA

Uncle Paul to ke4pym

Member

to ke4pym
Current word is the take is ~3 million records. I believe there's ~4.5 million in the state. Please stand by for the normal over amplified blanket knee jerk reaction from the politicians.

Snowy
Lock him up!!!
Premium Member
join:2003-04-05
Kailua, HI

Snowy

Premium Member

said by Uncle Paul:

Current word is the take is ~3 million records. I believe there's ~4.5 million in the state.

One of the links stated that although most of the CC data was encrypted none of the SSN data was encrypted.
If true, who needs CC data when ~3 million SSN records @ a dime each on the black market is a fast ~$300,000.00?

Blackbird
Built for Speed
Premium Member
join:2005-01-14
Fort Wayne, IN

1 recommendation

Blackbird to ke4pym

Premium Member

to ke4pym
quote:
"We are going to have a very strong approach to make sure that every South Carolina taxpayer is protected," said Haley. "No taxpayer should be a victim to this. We will take care of them."
"Protected"... "take care of them"... like when the state stored their SSNs and some of the credit card numbers unencrypted? When a state fails to do the simplest things within their power, how much credibility do they have in claiming they'll do things that may elude their power?
nonymous (banned)
join:2003-09-08
Glendale, AZ

nonymous (banned) to ke4pym

Member

to ke4pym
said by ke4pym:

387,000 credit and debit card numbers and 3.6 million social security numbers, all unencrypted, have been exposed.

»www.wbtv.com/story/19926 ··· s-hacker

»tinyurl.com/9a9e8nc

I wish the questions on my tests were as easy as do you store SSN's encrypted or unencrypted.

siljaline
I'm lovin' that double wide
Premium Member
join:2002-10-12
Montreal, QC

2 edits

siljaline to ke4pym

Premium Member

to ke4pym
More:

• »arstechnica.com/security ··· xpayers/

• »www.scmagazine.com/monst ··· /265639/

• »www.theverge.com/2012/10 ··· -numbers

• »gizmodo.com/5955367

• »news.cnet.com/8301-1009_ ··· ta-base/

• »gizmodo.com/5955367

• »www.computerworld.com/s/ ··· .6M_SSNs

DownTheShore
Pray for Ukraine
Premium Member
join:2003-12-02
Beautiful NJ

DownTheShore to ke4pym

Premium Member

to ke4pym
Not condoning at all the hacking, but if after all the scares lately about stolen credit card info, SSN's, personal data didn't wake up whoever's in charge of IT in SC, then they deserve to lose their job over this.

State officials have known of the data breach since October 16, and suspected an intrusion as early as October 10, but didn't disclose it until Friday, just hours before the start of the weekend.

Translation: News released on Friday, when it would hopefully quickly fall out of the news cycle.

KodiacZiller
Premium Member
join:2008-09-04
73368

1 recommendation

KodiacZiller to Snowy

Premium Member

to Snowy
said by Snowy:

Does she moonlight for the MPIAA?
Guilt by IP is less accurate than guilt by Ouija board or crystal ball because criminals, or "international hackers" do not expose their IP's, they use multiple hops across different national borders with at least one of the hops being in the middle of a rice field in N. Korea.
Now if it's some kid working out of his parents garage in Ohio they may have a shot at him (not a literal shot...I hope) point being that if it is an experienced international hacker they have as much chance of catching him by IP as I do of buying out Microsoft with cash.
ps the issue I have with statements such as "International Hacker" is that it carries a message that says the hack was unpreventable or only done with extraordinary hacking skills when that is simply never true (excluding Stuxnet etc... this was NOT a Stuxnet type of sophistication).
If they can't own up to being sloppy where's the motivation to getting it right?

^^^ This ^^^

It amuses me when people claim they know where a hack originated. IP's mean nothing.

The problem is almost certainly that they are running a bunch of insecure Windows boxen with tax-payer information being accessible from the Internet. They probably slap some AV software on there and think that means they are "secure."

Blackbird
Built for Speed
Premium Member
join:2005-01-14
Fort Wayne, IN

1 recommendation

Blackbird to ke4pym

Premium Member

to ke4pym
3.6 million Social Security numbers hacked in S.C.
quote:
The U.S. Secret Service detected a security breach at the S.C. Department of Revenue on Oct. 10, but it took state officials 10 days to close the attacker’s access and another six days to inform the public...
It appears the hacker’s first attempt to probe the Revenue Department’s system came from a foreign Internet address on Aug. 27. ...
The attack was discovered Oct. 10 by the U.S. Secret Service’s electronic crimes task force in South Carolina...
Does anyone else find this a little odd (about the whole thing being discovered by the Secret Service)? I've seen it in several other articles about the breach, as well. I'd like to see some amplification about what an agency of Homeland Security was doing with South Carolina's tax database records and/or how they were doing it, all happening out ahead of any awareness of the breach.

Snowy
Lock him up!!!
Premium Member
join:2003-04-05
Kailua, HI

Snowy

Premium Member

said by Blackbird:

Does anyone else find this a little odd (about the whole thing being discovered by the Secret Service)?

I attributed the timeline/USSS access issue to poor press release writing.
On many levels, I hope that's the case.

Blackbird
Built for Speed
Premium Member
join:2005-01-14
Fort Wayne, IN

Blackbird

Premium Member

said by Snowy:

said by Blackbird:

Does anyone else find this a little odd (about the whole thing being discovered by the Secret Service)?

I attributed the timeline/USSS access issue to poor press release writing.
On many levels, I hope that's the case.

The first stories had the Secret Service alerting the state of South Carolina on Oct 10. The story from The State (3.6 million Social Security numbers hacked in S.C.) notes:
quote:
...The attack was discovered Oct. 10 by the U.S. Secret Service’s electronic crimes task force in South Carolina, Special Agent in Charge Michael Williams said.

His office notified SLED, and state agencies began scrambling to address the problem.
Now the spin being placed on the story is clearly changing... references to the initial Secret Service involvement have been replaced with anonymous references to "the state learned" on Oct 10, and the implication is now that the state notified Federal "law enforcement" thereafter. From UPI.com (South Carolina hit with huge data breach):
quote:
...The state Department of Revenue acknowledged the massive electronic security breach Friday, reporting a computer intrusion that led to 3.6 million Social Security numbers being stolen... The department learned of the intrusion on October 10, although it has not said how, and alerted federal and state law enforcement, CNET reported.
When one reads the earlier The State article, though, the copious detail therein seems compelling in favor of its accuracy. Which leaves one to wonder why the latest round of articles in the media diminish or omit the Federal alerting of the state agencies (and omit any reference to the Federal agency involved). I read at least 7 different-sourced recent reports on this incident this afternoon and every one is silent now on the Federal alerting role and about how South Carolina became fully aware. If I was paranoid, I'd almost think The State story betrayed some details that weren't supposed to get out regarding the fact that the Secret Service (Homeland Security) was exploring South Carolina taxpayer databases when they stumbled on the hack...

StuartMW
Premium Member
join:2000-08-06

StuartMW

Premium Member

said by Blackbird:

If I was paranoid, I'd almost think The State story betrayed some details that weren't supposed to get out regarding the fact that the Secret Service (Homeland Security) was exploring South Carolina taxpayer databases when they stumbled on the hack...

That's not paranoid. That's putting together facts and coming to a reasonable, if not proven, conclusion. Some can't tell the difference

Snowy
Lock him up!!!
Premium Member
join:2003-04-05
Kailua, HI

2 edits

Snowy to Blackbird

Premium Member

to Blackbird
said by Blackbird:

. If I was paranoid, I'd almost think The State story betrayed some details that weren't supposed to get out regarding the fact that the Secret Service (Homeland Security) was exploring South Carolina taxpayer databases when they stumbled on the hack...

I don't have an opinion on the matter but a reasonable alternate theory would be about what's missing in all the press releases I've seen on the matter.
e.g.,"At this time there has been no indication of malicious use of the stolen data"
type of statements having NOT been made.
That omission could mean that they are aware of or at least suspect the data is being abused.

If that's true, the source of the data would easily be pinned to S Carolina, at which point the USSS involvement would be expected even though S Carolina was not aware of anything specific.

norwegian
Premium Member
join:2005-02-15
Outback

norwegian to ke4pym

Premium Member

to ke4pym
Hopefully those involved get it all sorted.

Scary thing is this seems almost a too common monthly item, some site hacked, some exploit, some leak, software or O/S not updated.....the list goes on and users get caught "on another persons watch".

Name Game
Premium Member
join:2002-07-07
Grand Rapids, MI

Name Game to Snowy

Premium Member

to Snowy
Seems everyone gets sloppy
»www.scmagazine.com/univ- ··· /225158/

Now seeing as I be a S.C. person and never stupid enough to pay taxes with a credit/debt card and even those who do can relax since the way the story came down to us is that it was not hack of a recent database..and most likely all those cards are expired.
There is a data out there with a time line of all the hacks and breaches of State Databases across the Nation that have been hacked over the last 5 years..it is not a pretty sight.

StuartMW
Premium Member
join:2000-08-06

StuartMW

Premium Member

said by Name Game:

...and never stupid enough to pay taxes with a credit/debt card...

Does SC charge a 5-10% "Convenience Fee" for using a CC or electronic check? I've always snail-mailed a paper check to avoid that.

Name Game
Premium Member
join:2002-07-07
Grand Rapids, MI

1 edit

Name Game

Premium Member

Fee at the county level for taxes if you use the epay service

Thank you for using Horry County ePay. The goal of this application is to provide a mechanism for citizens to pay personal property, real property and vehicle taxes online. Please be advised of the following:
Convenience Fees
Credit Card - A 2.85% convenience fee will be charged for the use of credit cards by the payment processor. (VISA, MasterCard, and American Express are the only credit cards accepted)
Visa Debit Card only - A flat $3.95 convenience fee will be charged for the use of Visa debit cards.
eCheck - A flat $2.50 convenience fee will be charged for the use of eCheck.
Horry County does not receive any portion of the above fees.

»www.horrycounty.org:8080 ··· ndex.jsp
If you walk in with a credit card no fees.

For the State no fee if you use their SCnetfile. But if you use some other third party Payment system....

Pay by Direct Debit:
The South Carolina Department of Revenue operates an online system for submitting a request for an extension. You can find this system at SCnetFile

Using SCnetFile you can pay by credit card (MasterCard or Visa Only) or by Direct Debit (electronic check) directly from your bank account. There are no additional charges for using this service.

Pay by Credit Card:
South Carolina accepts payment by credit card through Official Payments Corporation. Making your payment in this way automatically qualifies you for an extension of time to file your tax return until August 15, 2012. You will not need to file any other forms at this time. You can do this either on the web or by telephone.

Official Payments Corporation will accept Discover/NOVUS, MasterCard, Visa or American Express card to pay your personal income taxes. There is a convenience fee for this service equal to 2.5% of the tax amount being charged. The minimum fee is $1.00.

»www.taxbrain.com/taxcent ··· s/sc.asp

ttp://www.sctax.org/security.htm
»www3.sctax.org/DOREPAY/F ··· Info.htm

The South Carolina Department of Revenue Electronic Sales Tax System (eSales) is designed to give taxpayers a FAST, FREE, ELECTRONIC, and SECURE way to submit return information and tax payments for sales, use, accommodations, local option and special local taxes.

The Department Of Revenue's Electronic Sales System allows you to file and make payment by EFW (Electronic Funds Withdrawal/Bank Draft) or credit card without having to leave your home or office.

EFW payments on current period returns can be warehoused up to 15 days prior to the due date of the return.

Information Regarding Cyber Attack at SC Department of Revenue
»www.sctax.org/security.htm

The S.C. Department of Revenue today announced that approximately 3.6 million Social Security
numbers and 387,000 credit and debit card numbers have been exposed in a cyber attack. Of the credit cards, the vast majority are protected by strong encryption deemed sufficient under the demanding credit card industry standards to protect the data and cardholders. Approximately 16,000 are unencrypted.

Anyone who has filed a South Carolina tax return since 1998...

»www.sctax.org/NR/rdonlyr ··· logy.pdf

Snowy
Lock him up!!!
Premium Member
join:2003-04-05
Kailua, HI

Snowy to Name Game

Premium Member

to Name Game
said by Name Game:

Now seeing as I be a S.C. person and never stupid enough to pay taxes with a credit/debt card and even those who do can relax since the way the story came down to us is that it was not hack of a recent database..and most likely all those cards are expired.

I completely agree that people in general should relax more.
Specifically, what are the actionable items that a victim of this breach can relax over since a high percentage of CC data is likely to be stale?

EGeezer
Premium Member
join:2002-08-04
Midwest

EGeezer to ke4pym

Premium Member

to ke4pym
Looks like SC is giving lifetime fraud resolution services to those affected;

Under a deal negotiated with a credit monitoring agency, South Carolina citizens whose tax returns were hacked will be eligible for credit fraud resolution for life, officials said Tuesday.



Story at;

»www.islandpacket.com/201 ··· ime.html

Snowy
Lock him up!!!
Premium Member
join:2003-04-05
Kailua, HI

Snowy

Premium Member

said by EGeezer:

Looks like SC is giving lifetime fraud resolution services to those affected;

Under a deal negotiated with a credit monitoring agency, South Carolina citizens whose tax returns were hacked will be eligible for credit fraud resolution for life, officials said Tuesday.



Story at;

»www.islandpacket.com/201 ··· ime.html

That's an appropriate response which acknowledges the severity of giving up the name, address, SSN data of an individual.
Mitigating a credit card data breach is pretty straightforward.
Kill the card, end of threat.
The SSN data though is going to be valid for the life of an individual, with few exceptions.
Kill the person, end of threat is not going to work, especially in an election year.
That leaves diligent monitoring as the best solution short of reissuing the SSN's.
So instead of relaxing I'd suggest signing up for the free monitoring service & start taking an active role utilizing the various tools the service offers.

Rebrider
Been There Done That
Premium Member
join:2000-11-23

Rebrider to EGeezer

Premium Member

to EGeezer
said by EGeezer:

Looks like SC is giving lifetime fraud resolution services to those affected;

Under a deal negotiated with a credit monitoring agency, South Carolina citizens whose tax returns were hacked will be eligible for credit fraud resolution for life, officials said Tuesday.



Story at;

»www.islandpacket.com/201 ··· ime.html

What this means is you are on your on after 1 year. If your stolen information is used in the future after the 1st year, Experian will offer guidelines but you will have to do all the work. They aren't going to do anything for free.
We will have to pay for credit monitoring after the 1st year.
In the end we in SC will have to pay for this. The cost of the monitoring will be paid for by SC taxpers.
I will now have to sign my wife and I up for credit monitoring for the rest of our lives.

StuartMW
Premium Member
join:2000-08-06

StuartMW to Snowy

Premium Member

to Snowy
said by Snowy:

Kill the person, end of threat is not going to work, especially in an election year.

In many places the dead make up a large part of the electorate. Even better you don't have to spend any money to get their vote

Name Game
Premium Member
join:2002-07-07
Grand Rapids, MI

2 edits

Name Game to ke4pym

Premium Member

to ke4pym
Hacker Gained Access to Data Using Employee Credentials

»www.wltx.com/news/articl ··· dentials

Keep up-to-date at these twitter links

SCHacked

»twitter.com/search/%23SCHacked

Reporters..

»twitter.com/andyshain

»twitter.com/ginansmith

»twitter.com/adambeam
Name Game

Name Game to ke4pym

Premium Member

to ke4pym
Live Chat to ask Questions:

Staff reporter Andrew Shain will answer your questions at 1 p.m. Wednesday right here about registering for South Carolina's credit protection plan and safeguarding yourself from ID theft. Shain, who covers politics and higher education for The State, spent five years as a consumer columnist at The Charlotte Observer.

Read more here:

»www.thestate.com/2012/10 ··· Vm2l256M