Someone snuck into the South Carolina Department of Revenue database in August and made off with the names and Social Security numbers of 3.6 million South Carolinians. (To put it in perspective, the population of the entire state is 4.6 million.) Some 387,000 of those names and Social Security numbers were paired with credit card information.
All of the Social Security numbers and thousands of the credit card numbers were unencrypted.
Why would any government agency — or private company, for that matter – store such sensitive personal information in an unencrypted database?
While the breach occurred in August, it was not discovered until Oct. 10, and not made public until late last week. At a news conference this week, South Carolina Gov. Nikki Haley explained:
The industry standard is that most Social Security numbers are not encrypted. A lot of banks don’t encrypt, a lot of those agencies that you think might encrypt Social Security numbers actually don’t, because it is very complicated, it is cumbersome, and there’s a lot of numbers involved with it.
I have no idea who is in charge of data security for the state of South Carolina, but I cannot imagine him or her saying, “Governor, let’s not encrypt sensitive taxpayer information because, you know, it’s just too darned complicated and there are too many numbers involved with it.” More likely, the numbers were preceded with a dollar sign and the budget overseers said no.
Gov. Haley, whose autobiography is titled “Can’t Is Not an Option,” also insisted that stopping hackers is not an option. “If the CIA can be hacked into, anybody can be hacked into.”
“This is a situation where a sophisticated, intelligent criminal got into a database and it’s unbelievably creative how they did it,” Gov. Haley said. “This was a sophisticated hacker who creatively looked at the system. This was no simple breach.”
Really? The investigation is under way and the authorities have not yet disclosed the modi operandi of the hacker(s). But my bet is that the hacker simply pwned a state employee into giving up his or her legitimate user ID and password to the Department of Revenue database. We’ll see.
The bottom line is this: If you assume that your system is going to be hacked — probably a good assumption if there are human beings involved — and you have sensitive information to protect, then it is absolutely essential to use strong encryption. If the thief makes off with encrypted data, all he will get is gibberish.
UPDATE Nov. 16, 2012: From ThreatPost: “NASA has enacted new policies to protect employee and other sensitive information after a laptop was stolen from an employee’s locked vehicle, exposing records of personal information on a “large number” of NASA employees. The laptop was not protected by whole disk encryption, NASA officials said, putting an undisclosed number of employees at risk for identity theft and other abuses of personal data. . . . In March 2011, a laptop was stolen that contained algorithms used to control the International Space Station; one of 48 laptops stolen between 2009 and 2011. As of Feb. 1, one percent of NASA laptops were encrypted.”