The State of South Carolina has identified a hacking incident that has placed personal information of South Carolina residents at risk. Anyone who has filed a tax return in the Sate of South Carolina since 1998 has been directed to contact law enforcement officials to determine if personal information has been compromised.
A state employee opened a malicious phishing email link which gave the hacker the employee's user name and password. This allowed the hacker access to the government's Citrix remote access service, through which the hacker was able to obtain copies of millions of personal records. The state determined that the Department of Revenue stored 3.3 million bank account numbers and 3.8 million tax returns containing Social Security numbers for 1.9 million children and dependents in an unencrypted format.
The hackers were able to access to the records for weeks without being detected. This incident came to light when the U.S. Secret Service traced stolen information to the state tax returns.
The South Carolina governor blamed the IRS for not requiring the state to encrypt Social Security numbers. Had the SSNs been part of a health plan record, encryption would have been required under HIPAA.
The state will now encrypt SSNs and is in the process of revamping its tax systems with stronger security controls. This is a good reminder to both review phishing emails and store sensitive data in an encrypted format.
