I missed much of Friday’s news cycle, as I was traveling to visit my parents in South Carolina. We met them at our favorite local Mexican restaurant for dinner, and within 5 minutes, Dad was telling me about how my Social Security Number has probably been compromised and that I need to make a phone call to get free credit monitoring, courtesy of South Carolina.
About a month ago, someone from an international network compromised the South Carolina Department of Revenue’s web site to expose 3.6 million Social Security numbers and 387,000 credit card numbers. Of those credit card numbers, most were encrypted, but 16,000 of them were stored in plain text. All of the Social Security numbers were stored in plain text. The news of this fiasco hit the wire on Friday.
The reactions by South Carolinians that I spoke with this weekend were all pretty much the same: a mixture of anger and frustration. There are some people online calling for Governor Nikki Haley’s head on a platter, but it’s ridiculous to suggest that she would somehow know of vulnerabilities on a web server in a data center somewhere.
Yes, heads should roll; but Haley is the Governor, not the head of I.T.
This story has specific interest to me – first because I have paid South Carolina income taxes since 1998 – so my information is in data that was compromised, but also because I’ve managed web servers and security for equipment that handles this type of information. I understand the steps that are needed to protect this type of information.
(This is another excellent opportunity for me to remind you that the thoughts and opinions expressed on this site are my own, and they are not endorsed by anyone else, including my employer. I am not authorized to speak on the behalf of any person or company about anything.)
The biggest issue with this story isn’t that there was a breach. When you connect systems to the internet there will, inevitably, at some point, be a breach. The issue of concern isn’t even that the web server in question was not updated appropriately. Not patching servers in a timely manner can open you up to security vulnerabilities, but the real issue to be concerned with here is the fact that personally identifiable information (known within the industry as PII) was stored on a server in plain text, without any encryption whatsoever.
There is never any legitimate reason to store any PII in clear text on any server, anywhere, ever. Period.
There are industry standards for this sort of thing. Some of these practices were already in place for the credit card numbers being stored. That’s what’s really frustrating; it takes minimal additional effort to encrypt additional data if you’re already encrypting some of the data. The credit cards were (mostly) encrypted, but the social security numbers were not.
And, just so we’re clear, when you encrypt this data like you’re supposed to, it doesn’t matter if a hacker gets the data. If it’s encrypted properly, the data will be useless to the hacker. That’s the point of the encryption.
South Carolina is offering credit monitoring for a year for those whose data was breached. That’s a nice gesture, but if my Social Security number is in the hands of identity thieves now, it’ll still be in their hands in a year.
It’ll be interesting to see what the state does about this policy of not encrypting PII. I don’t know if it was the decision of someone in I.T. or someone in the Department of Revenue. Either way, someone in South Carolina needs to find himself without a job in the very near future.