News of a security breach at the South Carolina Department of Revenue that exposed the Social Security Numbers (SSNs) of over 3.6 million taxpayers, is just now hitting the national headlines, even though the discovery of this hacker intrusion was made in October. The breaches themselves go as far back as August and were perpetrated by unknown hackers from overseas who had broken into a SC Department of Revenue database. Read the story here.
News sources report the main vulnerability exposed by the attack was the department of revenue’s failure to encrypt all the SSNs kept in their databases. Some security experts are taking issue with South Carolina’s Governor Nikki Haley’s explanation. She contends that the decision to not encrypt all of the personal taxpayer data, including SSNs, did not go against industry best practices. However, Gartner analyst Avivah Litan characterized the governor’s explanation of her state’s security practices as shaky. “It’s true that most banks don’t encrypt customer data, largely because of performance hits and management overhead.” Litan said, “But most banks do a decent job of instituting strong protections around sensitive customer data at rest.”
According to the state’s own reports, anyone who has filed a tax return in South Carolina since 1998 is likely to have been affected by the breach.
One way banks and other financial institutions can add layers of protection is to assure the security of their email and Internet access in addition to their databases. As experts surveying these events in South Carolina have pointed out, critical data, particularly personally identifiable information, needs to be rigorously defended whether at rest, in use or in transit. They agree that data such as SSNs linked to names should rank at the top of the list of items needing to be encrypted. Although banks, financial institutions, retailers and state entities may be encrypting data some of the time, it’s clearly not enough as the SC breach so clearly defines.
Other security experts have contended that it’s not that difficult to have multi-layered security solutions in place to protect sensitive personal data no matter how it is being transmitted, used and stored. Check out EdgeWave Web and email security solutions that offer multi-layered protection against malware, botnets and data loss, including both TLS and park-and-pull email encryption integrated with a DLP solution.