Tuesday, October 30, 2012

Hacked about #schacked

I'm hacked about #schacked.

Last Friday, October 26, news broke that the South Carolina Department of Revenue was hacked, and a few million Social Security Numbers, and a few hundred thousand credit and debit card numbers, were exposed to hackers. The breach affects residents who filed tax returns going back for almost fifteen years. 15 YEARS!

There's a twitter hashtag, #schacked, for people wanting to follow the events.

I'm irritated about several things:

1. That it happened. Not only that it happened, but that it has been happening. Apparently, there have been numerous system breaches going on for months.

2. The bad guys had a 16-day head start. The state admits that it knew about the breach sixteen days before informing the public.

3. The costs to the state (ie, taxpayers) is "capped" at $12 million dollars. Presumably this does not include the additional cost due to the head start the bad guys had. The $12M divided by the 4.5M population works out to a little less than $3 per person, if that makes you feel any better.

4. SC's helpful suggestions. These include getting a free activation code for Experian's ProtectMyID alert. It took a day or two for me to get through to get the code. It was a laughably simple code, and there's not a clear reason why the code could not have been posted online, instead of forcing millions of people to call a toll-free number. And now to protect my information, I have to enter it into yet another system.

5. The blame game. When the news of the breach broke, residents had to call a toll-free telephone number to get the code. For me, I got busy signals until Saturday afternoon, at which time I got a recording which provided the code. The code did not work for me until Monday. With potentially millions of people affected by this, one would naturally expect wait times and busy signals. But at today's press conference the governor implied it wasn't the millions of affected residents causing the busy signals, it was the relative handful of journalists trying to cover the story. Additionally, the governor says that the social security numbers were not encrypted because the "industry standard" is that those numbers aren't encrypted.

News
http://www2.wspa.com/news/2012/oct/30/26/experts-say-credit-monitoring-being-provded-sc-wil-ar-4836674/
http://www.dispatch.com/content/stories/national_world/2012/10/30/hack-has-s-c--folks-open-to-id-theft.html
http://www.postandcourier.com/article/20121030/PC16/121039950/haley-hacking-8220-absolutley-bizarre-8221-state-costs-for-monitoring-capped-at-12-million&source=RSS

1 comment:

Bucky said...

There is one more step to help prevent someone from opening an account using your data.

Put a security freeze on your credit file at Equifax, Transunion, and Experian at the following URLs.

https://www.freeze.equifax.com/Freeze/jsp/SFF_PersonalIDInfo.jsp

https://freeze.transunion.com/sf/securityFreeze/landingPage.jsp

https://www.experian.com/freeze/center.html

This prevents anyone -- including you -- from getting approval to open a new account. You can temporarily or permanently remove the freeze, should you wish to open a new account yourself.