Connect with us

Hi, what are you looking for?


Data Protection

Stolen Login Credentials, Poor Security Practices Led to South Carolina Data Breach

A booby-trapped email message led to the massive data breach of South Carolina’s tax system over the summer, according to the latest timeline of events.

A booby-trapped email message led to the massive data breach of South Carolina’s tax system over the summer, according to the latest timeline of events.

On Aug. 13, unknown perpetrators sent an email containing malicious code to “multiple” South Carolina Department of Revenue employees, according to a four-page report from Mandiant released Tuesday. “At least one” employee fell for the trick and opened the file, which infected the computer. It’s likely the malware had keylogging capabilities to intercept the employee’s username and password. IT security firm Mandiant has been investigating the breach and provided a detailed timeline of the attack in its report.

South Carolina Data Breach DetailsSouth Carolina made two major mistakes, according to Mandiant. State workers were not required to use multiple passwords when trying to obtain sensitive information and the state also did not encrypt sensitive tax data. Back when the state disclosed the breach, Nikki Haley, South Carolina’s governor, defended the lack of encryption, as the guidelines from the Internal Revenue Service did not require Social Security Numbers to be encrypted. The state had followed best practices, Haley had said at the time, asserting that “nothing could have been done” to stop the breach.

“Could South Carolina have done a better job? Absolutely, or we would not be standing here,” a better-informed Haley said at a press conference Tuesday.

South Carolina discovered Oct. 10 that attackers had accessed Department of Revenue systems multiple times in August and September and transferred database backup files to a remote computer. The compromised database contained tax records that had been electronically filed since 2002, although some records went as far back as 1998. About 387,000 credit and debit card numbers of residents, 3.6 million Social Security numbers, and personally identifiable information of 1.9 million dependents were exposed. All in all, around 80 percent of South Carolina residents and 657,000 businesses were affected.

It all began with a malicious email sent to multiple employees, which eventually resulted in 44 systems, used 33 pieces of malicious software and utilities, remotely accessed Revenue Department servers from at least four IP addresses, and used at least four valid department user accounts to carry out their nefarious activities, the report said.

After stealing login credentials, the attacker used the legitimate user data to use the Critix remote access service, Mandiant said. The attacker used the Citrix portal to log into the user’s workstation and escalated privileges in order to access other systems and database on the network. The attacker harvested account passwords on six different servers, executed an utility to steal passwords for all Windows user accounts, and opened a backdoor to the compromised machine.

The attacker copied database backup files to a staging directory on Sept. 12 and zipped them into an archive, Mandiant found. The archived database file was transferred to a remote machine back on Sept. 13, that she said does not require the encryption of Social Security numbers, creating what the governor dubbed a “cocktail of an attack,” Haley said.

Advertisement. Scroll to continue reading.

“But what we can do is put so many layers in this process that it is awfully hard to get into.”

As this incident illustrates, and despite all the warnings, organizations are still failing to properly secure privileged access points.

According to security firm Cyber-Ark Software, attackers continue to breach the corporate perimeter through common attack methods such as  phishing attacks, malware infected attachments, social engineering, and other methods. Once inside, Cyber-Ark said, cyber-attackers infiltrate privileged access points to gain access to additional servers, databases and other high value systems.

“For years, the discussion on securing privileged access points focused mostly on the insider threat and ensuring that only the properly credentialed had access to these power accounts. Sophisticated cyber-attackers understand the power and wide ranging access these accounts provide — which is why they continue to be the number one target in the majority of cyber-attacks,” Adam Bosnian, executive vice president Americas at Cyber-Ark said in a recent statemet.

“Unsecured critical access points are a threat to all sensitive corporate data and systems and represent the greatest security challenge most businesses will face. Identifying all privileged access points and locking them down should be a priority for any security and compliance conscious executive,” Bosnian added.

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join security experts as they discuss ZTNA’s untapped potential to both reduce cyber risk and empower the business.


Join Microsoft and Finite State for a webinar that will introduce a new strategy for securing the software supply chain.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Artificial Intelligence

The CRYSTALS-Kyber public-key encryption and key encapsulation mechanism recommended by NIST for post-quantum cryptography has been broken using AI combined with side channel attacks.

Data Breaches

LastPass DevOp engineer's home computer hacked and implanted with keylogging malware as part of a sustained cyberattack that exfiltrated corporate data from the cloud...


The three primary drivers for cyber regulations are voter privacy, the economy, and national security – with the complication that the first is often...

Incident Response

Microsoft has rolled out a preview version of Security Copilot, a ChatGPT-powered tool to help organizations automate cybersecurity tasks.

Data Breaches

GoTo said an unidentified threat actor stole encrypted backups and an encryption key for a portion of that data during a 2022 breach.