Anatomy of a Breach

Anatomy of a Breach: South Carolina Department of Revenue — 3.6 Million Social Security Numbers, Unencrypted

> series: anatomy_of_a_breach —— part: 046 —— target: south_carolina_dor —— ssns: 3,600,000 —— encryption: none<span class="cursor-blink">_</span>_

Hedgehog Security 31 October 2012 12 min read
data-breach south-carolina tax-records social-security unencrypted phishing government series
Breach #046

3.6 million Social Security numbers. Not one was encrypted.

In October 2012, South Carolina Governor Nikki Haley disclosed that the state's Department of Revenue (DOR) had been breached and that attackers had stolen 3.6 million Social Security numbers, 387,000 credit and debit card numbers, and 3.3 million bank account records — all belonging to South Carolina taxpayers. The data was stored unencrypted. The breach was traced to a spear-phishing email that compromised an employee's credentials, providing the attackers with access to the tax database.

When asked why the Social Security numbers were not encrypted, Governor Haley stated that encryption was 'not prior to this legally required' — a defence that highlighted the gap between legal minimum requirements and actual security needs. The breach cost the state over $20 million in response, remediation, and credit monitoring for affected taxpayers, and led to mandatory encryption requirements for state agencies. The incident parallels the HMRC breach — a government tax agency holding millions of citizens' most sensitive financial data without the most basic protective controls.

The Attack Chain
Recommended

Not sure where to start?

We'll scope your test for free and tell you exactly what you need. No obligation, no hard sell.

Free Scoping Call

One phishing email. 3.6 million identities.

The attack began with a phishing email to a state employee. The email delivered malware that captured the employee's credentials, which were then used to access the Department of Revenue's systems. From there, the attackers accessed the tax database and exfiltrated millions of records. The attack chain was identical to the pattern that began the RSA SecurID breach: phishing → credential theft → database access → mass exfiltration.

Phishing — Still the Number One Vector
A single phishing email provided the initial access that led to 3.6 million SSNs being stolen. Our <a href="/penetration-testing/social-engineering">social engineering assessments</a> test whether your staff would click the email that begins the attack chain. Because every major breach in this series — RSA, Lockheed, South Carolina DOR — started with a phishing email.
No Encryption on the Crown Jewels
Social Security numbers — the most sensitive personal identifiers in the US system — were stored without encryption. The equivalent in the UK — National Insurance numbers combined with financial data — requires the protection that <a href="/cyber-essentials">Cyber Essentials</a> mandates and our <a href="/penetration-testing/infrastructure">infrastructure testing</a> verifies.
No MFA on Database Access
The phished credentials provided direct access to the tax database without a second factor. MFA — now a <a href="/cyber-essentials">Cyber Essentials Danzell auto-fail criterion</a> — would have prevented the credential from being usable even after the phishing email succeeded.
No Monitoring Detected the Exfiltration
The attackers exfiltrated millions of records without triggering any alerts. <a href="https://www.socinabox.co.uk">SOC in a Box</a> monitors for the bulk data access patterns and exfiltration indicators that would have flagged this activity within hours.
Lessons

'Not legally required' is not a security strategy.

Governor Haley's statement that encryption was not legally required illustrated the dangerous mindset of treating legal minimum requirements as security targets. Legal compliance is a floor, not a ceiling. The HMRC breach taught the UK this lesson in 2007. The South Carolina breach taught the same lesson in the US five years later. The organisations that avoid catastrophic breaches are the ones that go beyond legal minimums to implement proportionate security controls.

Cyber Essentials certification provides a baseline that exceeds most legal minimums — including encryption, access control, patching, and MFA requirements. Our penetration testing identifies the gaps between what the law requires and what security demands. SOC in a Box provides the monitoring that detects breaches before millions of records are exfiltrated. And UK Cyber Defence provides the incident response capability that turns a breach into a managed incident rather than a crisis.

Beyond Compliance

'Not legally required' cost South Carolina $20 million. What is your security baseline?

<a href="/cyber-essentials">Cyber Essentials</a> goes beyond legal minimums. <a href="/penetration-testing">Penetration testing</a> identifies real-world risks. <a href="https://www.socinabox.co.uk">SOC in a Box</a> monitors continuously. Because 'not legally required' is not a defence your customers, your regulator, or the ICO will accept.

Commission a Security Assessment Next: UK ICO Enforcement 2012
Next Step

Not sure where to start?

We'll scope your test for free and tell you exactly what you need. No obligation, no hard sell.

Free Scoping Call
Keep Reading

Related Articles

Anatomy of a Breach 31 August 2014

Anatomy of a Breach: The iCloud Photo Leak — When Personal Data Became a Weapon

Breach #068. On 31 August 2014, private photographs of dozens of celebrities were leaked online in what became known as 'The Fappening.' The images had been stolen from Apple iCloud accounts — not through a vulnerability in iCloud itself, but through targeted phishing attacks, password guessing, and exploitation of weak security questions. Several perpetrators were later convicted. The incident demonstrated that personal data, once stolen, becomes a weapon — and that account security is only as strong as its weakest authentication factor.

data-breach icloud
12 min read
Anatomy of a Breach 30 April 2024

Anatomy of a Breach: AT&T — 73 Million Customer Records from a 2019 Breach Surface on the Dark Web

Breach #184. In March 2024, AT&T confirmed that a dataset containing the personal information of approximately 73 million current and former customers had been published on the dark web. The data — including names, addresses, phone numbers, dates of birth, Social Security numbers, and encrypted AT&T account passcodes (which security researchers quickly cracked) — appeared to originate from a breach dating to approximately 2019. AT&T had previously denied the data was from its systems. The breach demonstrated that stolen data surfaces years later, and that denial does not make a breach disappear.

data-breach att
12 min read
Anatomy of a Breach 30 April 2023

Anatomy of a Breach: Western Digital — My Cloud Offline for Two Weeks and 10TB of Internal Data Stolen

Breach #172. In April 2023, Western Digital — one of the world's largest data storage companies — disclosed that attackers had breached its network and stolen approximately 10 terabytes of internal data. The breach forced Western Digital to take its My Cloud consumer cloud storage service offline for approximately two weeks, locking millions of users out of their personal data. The attackers — a group calling themselves ALPHV/BlackCat — published screenshots of internal emails, videoconference screenshots, and evidence of access to Western Digital's SAP backend and internal tools. A company whose entire business is storing and protecting data could not protect its own.

data-breach western-digital
12 min read
All Posts Get in Touch