Phishing Scam Hooks South Carolina Department of Revenue: No One Is Immune

phishing_scamIf you’ve ever thought that your organization is invulnerable to cyber-attack, think again. The sheer volume of cyberattacks should convince you otherwise. But it’s also obvious that all organizations, in every industry, have been subject to attack. Even government tax authorities.

For instance, in November 2012, South Carolina’s Department of Revenue was hit with one of the worst cyberattacks against a state government in U.S. history. This cyberattack led to 3.8 million tax returns, social security numbers, and other information being stolen by a single international hacker.

Notably, this attack was the result of one of the most common cyber-hacker tricks – the phishing scam.

South Carolina Department of Revenue employees receive a lot of emails on a regular basis. In August of 2012, a hacker (thought to have originated in Russia) began sending emails to Department of Revenue employees with an embedded link that contained a computer virus—a classic phishing scam that lures a user to click on the link and download an executable of malicious code, commonly referred to as a “virus.” In this instance, the virus was programed to harvest log-in and other credentials from the computer and give the hacker access to the computer system. One employee eventually clicked on the virus, which immediately farmed the employee’s log-in and other credentials and provided it directly to the hacker. Two weeks later, the hacker began using the employee’s credentials to access the Department’s data in earnest. Once accessed, the hacker began copying and downloading the information (using WinZip) off the Department’s servers. While some information was encrypted, social security numbers were not, and neither was bank account information. It was not until the Secret Service contacted South Carolina about the stolen information that the Department of Revenue understood a breach had occurred.

This data breach, unlike most, led to political fallout. The 2014 South Carolina Governor’s election pitted incumbent Governor Nikki Haley against Vincent Sheheen, a state senator. Sheheen’s campaign sent out letters to voters attacking Governor Haley’s leadership, and cited the breach of the Department of Revenue information as a “massive breach of public trust.” Political consequences piled on top of the financial damages, as the state executed a $12 million dollar contract with credit-reporting agency Experian to protect those affected by the breach.

This episode should convince any doubters that no organization is immune from cyberattack.

This entry was posted in State Governments and tagged , , , . Bookmark the permalink.

Leave a Reply