Connect with us

Hi, what are you looking for?


Data Protection

The South Carolina Data Breach: A Lesson in Deaf and Blind Cybersecurity

Last week, South Carolina’s (SC) Governor presented the results of the investigation over the exposure of the personal data of nearly 4 million individual filers and 700,000 businesses

Last week, South Carolina’s (SC) Governor presented the results of the investigation over the exposure of the personal data of nearly 4 million individual filers and 700,000 businesses in the SC Department of Revenue (DoR) data breach.

The investigation provided a detailed timeline of the breach and revealed that data protection in the DoR was lacking to the extent that the DoR had almost no visibility to the attack. The damning results have even led to the resignation of SC’s DoR director. Recently, the state made the technical report on the investigation publicly available. The availability of the report (PDF) gives the security community a unique glimpse into the nuts and bolts of compromised insider campaign and an opportunity to determine and develop effective countermeasures.

South Carolina Data BreachThe Attack Time Line

On August 13th, 2012, a malicious email was sent to multiple DoR employees. At least one of them clicked on the embedded link, unwittingly executing a malware and became compromised. The malware stole the user’s username and password. Two weeks later, the attacker logged into the machine using a remote access service (Citrix) with the stolen credentials.

The attacker then began propagating into the network by installing some password grabbing utilities, later using the obtained passwords to connect to more servers and so forth. Throughout the propagation process, the attacker used some generic databases client software to search for interesting data. On September 12th, one month after the initial infection, the attacker found worthy loot in the form of DoR database backup. It took the attacker two days to copy the 74GB (!!) database, and send it the attacker servers via another server within the victim’s internal network. This was pretty much the last contact the attacker had with its target.

On October’s 10th, two months after the initial infection and one month after the attacker had finished its attack, the Secret Service had informed DoR of the breach. Needless to say, DoR “had no idea what had happened.”

Data Access Monitoring is the Key

There’s a striking contrast between the magnitude of SC DoR’s breach and their visibility. The physical equivalent of the incident would be for bank robbers to blast their way into the vault room, and then drag the vault around the bank for two days before running away with the plunder without anyone hearing or seeing them. In the physical world, it can only happen if all the security personal were deaf and blind.

Advertisement. Scroll to continue reading.

The South Carolina Department of Revenue attack went unnoticed only because the DoR’s security team was not able to monitor and control data access across DoR’s internal network and servers, making them the cyber equivalent of deaf and blind to the attack. Their security budget and focus was probably totally invested in anti-virus technology intended to block the initial infection. When their first line of defense was breached, due to antivirus’ inherent limitations, they were left unaware and defenseless against the attack.

Investing in the right “ears and eyes” to monitor the access of servers, databases and files, would have made the detection of the attack an easy task, as the attack was very “noisy”. The attacker had accessed privileged data on an arbitrary time from an arbitrary process with read permissions, while usually the data get accessed only by the internal backup process, with the backup account privileges, on the regular backup times with write permissions. Additionally, the attacker had moved and processed the data few times before sending it out of the network, giving a lot of missed chances for the alarm system, which was not there, to set off the burglars’ alarm.

The Responsibility of Senior Management

It was that striking contrast between the size of the data stolen from SC DoR and the total lack of visibility they had to it, that had cost the Department of Revenue director his position. In the financial world, personal accountability is required under the Sarbanes-Oxley (SOX) Act which holds top level executives personally accountable for the accuracy of financial reports. The South Carolina incident should send a clear message to senior management on the digital front: data security is equally paramount.

Related Reading: Stolen Login Credentials, Poor Security Practices Led to South Carolina Data Breach

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.

Artificial Intelligence

The CRYSTALS-Kyber public-key encryption and key encapsulation mechanism recommended by NIST for post-quantum cryptography has been broken using AI combined with side channel attacks.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Data Breaches

LastPass DevOp engineer's home computer hacked and implanted with keylogging malware as part of a sustained cyberattack that exfiltrated corporate data from the cloud...

Application Security

GitHub this week announced the revocation of three certificates used for the GitHub Desktop and Atom applications.

Data Breaches

GoTo said an unidentified threat actor stole encrypted backups and an encryption key for a portion of that data during a 2022 breach.

Incident Response

Microsoft has rolled out a preview version of Security Copilot, a ChatGPT-powered tool to help organizations automate cybersecurity tasks.