Case Study: Data Breaches and Regulatory Requirements
South Carolina Department of Revenue (SCDOR) Data Breach
Data breaches pose a significant threat to individuals, businesses, and government departments. Protecting an organization against this massive invasion of privacy requires the establishment of system security controls, continuous monitoring of the controls, educating all users about avoiding phishing attacks, and possession of a strong IT infrastructure. An attack into the system can lead to loss of valuable data, compromising of the data, and the use of personally identifiable data for malicious ends. The attackers can use sensitive data such as financial information to withdraw large sums of money from the victim’s bank or leak company secrets. The case of SCDOR shows that untrained users on identifying phishing attacks, lack of monitoring the internal network, and unencrypted data can lead to a massive data breach.
The Data Breach Incident
The data breach started on August 13, 2012, when an attacker sent a malicious email to multiple SCDOR employees. One employee clicked a malicious email link, leading to malware being installed on the employee’s computer. He did not know that this was a phishing scheme. The hacker who sent the email used the malware to gain access to the credentials of the employee. Within two weeks, the hackers used the employee’s credentials to gain access to the SCDOR system and network using a remote access service (Citrix) (Loy et al., 2013). The hacker installed password grabbing utilities, obtained passwords, and connected to 21 servers of the department. At the end of the data breach, 3.5 million Social Security numbers, and 16,000 credit card numbers had fallen into the wrong hands (Mikhed & Vogan, 2018). The hacker compromised data of 3.8 million tax filers, 1.9 million dependents, and 700,000 businesses. All the stolen data was unencrypted. SCDOR did not know of the attack for two months after it began, which was one month after the attacker completed the attack.
Primary Causes of the Data Breach
The primary cause of the data breach is traced to three security flaws. The first flaw is that the workers were not trained to detect malicious links over the internet while using the organization’s network. The employee who clicked the malicious email may have had little information on detecting phishing attacks. The second cause is that workers at the department did not use multiple strong passwords to secure their data. The hacker could not have obtained passwords of all windows account users if the passwords used multiple criteria (Loy et al., 2013). The third flaw is that the state did not encrypt sensitive tax data. The hacker only stole unencrypted data. If the data was encrypted, the attacker could not have read the data even if he accessed the network.
How the Data Breach could be prevented by Adherence to FISMA.
Federal Information Security Management Act (FISMA) sets security requirements for every federal network by issuing a set of guidelines. The fourth compliance guideline is a systems security plan (Computer Security Division, Information Technology Laboratory, National Institute of Standards and Technology, & Department of Commerce, n.d). In this requirement, the security analysts outline their plan to keep the system secure. An example is compelling every user to have a 14 character password (Lohrmann, 2012). The sixth guideline further requires a security assessment where a different security analyst takes the security plan that the first analyst created and tests it. If this requirement was followed, it could be difficult for the attacker to obtain user account passwords for all window users and access 21 servers.
The ninth FISMA guideline requires security controls to be continuously monitored. The program officials and heads of the agency had the duty to review information security programs to keep risks to the minimum. The attack that began on August 13 went on till October 17 without the notice of the information security analyst (Loy et al., 2013). If the security analysts did a weekly or fortnight monitoring of the system, they could have intercepted the data breach. According to the Mandiant report that provided a timeline of the breach, the attacker took 14 days from the time the employee unwittingly executed the malware to the time the attacker accessed the departmental system (Loy et al., 2013). Regular monitoring of security controls could have inhibited the loss of data.
The SCDOR’s security team entirely relied on the antivirus technology and ignored monitoring and control of access to the internal network. However, antiviruses have inherent limitations, and it is only relied upon as the first line of defense. They could notice the attack after it breached the antivirus; thus, SCDOR was left defenseless. The data usually gets accessed through the internal backup process on regular back up times. The attacker accessed data through an arbitrary process on arbitrary time. The attacker also processed and moved data on several occasions and sent it out of the network to his servers. The attacker took two days to copy 74GB of DOR database backup (Mikhed & Vogan, 2018). The attack provided numerous red alerts that even weak monitoring of the system would identify. Therefore, there was no internal monitoring of the system, violating the ninth step of compliance towards FISMA.
Deficiencies in Regulatory Requirements and Mitigation Measures
The greatest deficiency of FISMA was that the guidelines did not expressly require the federal institutions to encrypt sensitive data such as tax information of the filers. Though encryption is one of the most reliable safeguards in protecting taxpayer’s data, the Internal Revenue Standards (IRS) had no policy or process of encryption. The lack of encryption allowed the hacker to easily access 21 servers and retrieved personally identifiable data (Mikhed & Vogan, 2018). The regulations must make encryption a routine practice in all federal agencies. The FISMA guidelines must include encryption as a mandatory process to prevent attackers from reading data when they gain access to the network.
References
Computer Security Division, Information Technology Laboratory, National Institute of Standards and Technology, & Department of Commerce. (n.d.). FISMA Implementation Project. Retrieved May 12, 2020, from http://csrc.nist.gov/groups/SMA/fisma/index.html
Lohrmann, D ( 2012, April 22) []. (n.d.). Dark Clouds over Technology: Pondering Action after Recent State Government Data Breaches. Retrieved May 12, 2020, from http://www.govtech.com/blogs/lohrmann-on-cybersecurity/Dark-Clouds-Over-Technology-042212.html
Loy, S. L., Brown, S., & Tabibzadeh, K. (2014). South Carolina Department of Revenue: Mother of government dysfunction. Journal of the International Academy for Case Studies, 20(1), 83-93.
Mikhed, V., & Vogan, M. (2018). How data breaches affect consumer credit. Journal of Banking & Finance, 88, 192-207.