Earlier in the month, the state of South Carolina announced a massive data breach that involved over 3 million taxpayers. As I envisioned at that time, the actual number reported in the media is fluctuating ever so gently…upwards. I figured I’d sit on the sidelines and see how it would play out, although it was pretty clear from the onset that the use of data encryption software would have meant a great deal of the current headache could have potentially been eliminated (but then again, perhaps not: there are reports that the hacker(s) could have compromised an encryption key).
Now, as the reports, forensic conclusions, and criticism are rolling in, it appears that this could be THE data breach of the year, similar to how Sony’s network attack last year was known in certain circles as THE breach of 2011 (which, with over 100 million people affected, it was kind of hard for Sony not to take the title).
On the other hand, there was the Global Payments fiasco earlier in the year that involved 7 million credit and debit card accounts. But then, credit cards are not SSNs: they expire periodically.
What is certain at this point is that this is one expensive information security breach.
Costs: Real and Potential
What did the data breach cost? According to informationweek.com:
The bill for the data breach now exceeds $14 million, reported the Associated Press. Related costs include $500,000 for Mandiant’s efforts, $12 million for credit monitoring services from Experian, $800,000 for improved information security capabilities, $100,000 for outside legal help, $150,000 for a related public relations campaign as well as $740,000 that will likely be spent to notify the estimated 1.3 million out-of-state taxpayers who were affected by the breach. [informationweek.com]
No doubt, the figures will turn out to be higher by the time everything is finished. But, the $14 million figure is really just the tip of the iceberg. Consider how the breach was found out:
The breach remained undiscovered until about a month later, on Oct. 10, when the Secret Service informed state officials that information on three residents appeared to have been stolen. Two days later, the state hired Mandiant to help find out what happened. [informationweek.com]
The implication is, naturally, that the information stolen in the SC caper has been used illegally in at least three instances, and that the Secret Service connected the dots, which pointed to a yet-to-be-confirmed breach within the South Carolina government.
If three people were affected directly, how many more? And for how much? With banking information of over 3 million businesses and nearly 2 million Social Security numbers compromised, it only makes sense that there are more than the three people that were victimized. So, if the financial losses that these people may encounter are factored in; plus the time, money, and energy the banks and other organizations put in to clear up any subsequent messes; plus those same factors that might be (will be?) spent in litigation…well, $14 million is an understatement really.
A Personal Cost – Accountability
Another revelation: the director of the state’s Department of Revenue, Jim Etter, has tended his resignation due to the latest incident, to be effective on December 31, 2012. It’s a bit unusual to see heads rolling in instances such as these. On the other hand:
On that note, last week Gov. Nikki Haley said at a news conference that South Carolina Department of Revenue director Jim Etter would resign, effective Dec. 31. Etter had reportedly declined the offer of free breach-detection services from the state’s IT department. [informationweek.com]
Information security requires a confluence of different practices to be effective. Certainly, using encryption software to protect data helps to reduce data breaches. So does the use of two-factor authentication. But not scanning whether your servers were breached or not? It won’t be perfect, but it’s certainly better than nothing. If Etter did turn down free security services — and it looks like it would have been an effective way of minimizing the breach — well, I guess there’s no way not to point fingers at him.
Related Articles and Sites: