12:01PM EST November 14. 2012 – COLUMBIA, S.C. — All state agencies have some type of computer security system in place, but there is no mandatory policy, standards, monitoring or enforcement for each of the approximately 100 state agencies, boards, commissions, colleges and universities that operate computers, the state’s inspector general says.
Nearly three weeks after officials disclosed a massive data breach at the Department of Revenue, Inspector General Patrick Maley said a task force has been created to address cyber security, agencies have been asked to take short-term “remediation” steps to address fundamental security measures and officials are beginning talks on how to address the lack of a statewide, mandatory security policy.
“It’s clear we need some statewide mechanism in order to coordinate and address these issues,” Maley told GreenvilleOnline.com. “Somebody has to be in charge.”
Meanwhile, a former top official with the FBI said Tuesday that if just 1 percent of the taxpayers and businesses whose information was hacked in September at the Revenue Department have their information misused it could cost them more than $350 million, based upon past FBI experience.
And that misuse could be more than a year away, based upon past experience with identity theft, said Chris Swecker, the former No. 3 official at the FBI.
Swecker told GreenvilleOnline,.com that even if only 1 percent of the 650,000 businesses whose information was exposed in the massive data breach was used for financial gain, it could mean losses totaling $338 million. He said 1 percent of individuals’ data misused could cost $22 million.
“Tax returns are the holy grail for bad guys,” he said. “It has everything.”
Maley said after talking to agencies’ computer officials for the past two weeks, it is clear that every agency is trying to protect its information.
“The question for the state is, we’re sitting on top of the requirement to protect everybody’s information, yet we have no mechanism to know what’s going on or set standards as to where do we want to set this security threshold,” he said.
The DOR breach, the biggest in the state’s history, exposed 3.6 million Social Security numbers, 387,000 mostly encrypted credit or debit card numbers and information belonging to more than 650,000 businesses. The agency’s computer system was breached four times, officials have said, and the data was exposed in September.
Gov. Nikki Haley publicly disclosed the hacking on Oct. 26, 16 days after the U.S. Secret Service notified the state of the hacking. Officials have said they didn’t immediately disclose the breach so that a criminal investigation could develop further. No arrests have been announced in the case.
Free credit monitoring has been offered to individual taxpayers or businesses who have filed returns in the state since 1998.
Swecker made his comments after a conference on financial fraud detection and prevention by government agencies arranged by Treasurer Curtis Loftis.
None of the speakers, who also included Maley and Greg Henderson, an official with SAS Institute who works with state governments to detect and prevent fraud using analytical software, talked about the DOR breach. But Swecker discussed the crime afterward.
He said the hacking, while unique and historic in its scope for South Carolina, isn’t unusual in the business world, having hit large companies.
“It happens every day,” he said. “It’s been playing out across corporate America for a while now. It amazes me but it’s never a problem until you get to a crisis. Nobody at the highest levels devotes much attention to this area until some real problem.”
He said he doesn’t have any inside information about what happened in the DOR breach, but said in 95 percent of cases in which an organization is compromised through Internet crime, it usually begins with an executive that opens a phishing email, triggering malware that infects the computer and allows hackers access to the system.
Hackers usually study the organization first, he said, and target an executive because executives are often unaware of security risks.
He said if he had to guess, he believes the DOR hacker was from Eastern Europe and gained access through a phishing email.
Swecker, who also formerly headed security for Bank of America, said it is “absolutely essential” that all agencies in state government operate under the same security policy.
Loftis told the state officials that his office has studied the policies of agencies related to security and treatment of confidential information and found that most haven’t updated their policies in many years. He said he has had a difficult time finding agencies that are “buttoned up” in the protection of confidential information.
“We’ve just got to do better,” he said. “This is a tipping point.”
Swecker said financial fraud is the dominant crime of this millennium.
Much of the fraud, he said, is being committed by sophisticated professionals who are technically savvy and operate out of Eastern Europe and Russia.
Those organizations, he said, “make the Cosa Nostra look like Boy Scouts.”
The professionals are systematically looting organizations, including governments, because there is low risk at being caught or prosecuted and there are high rewards, he said.
Financial fraud is a $220 billion annual business, Swecker said, including an estimated $37 billion in damages from identity theft.
Much of the crime happens, he argued, because of the “human factor,” not technology.
When he studied cyber crime as head of the North Carolina FBI office looking at 12 small businesses, he found each one had been compromised by a Russian criminal organization. Yet none of the businesses were aware they had been hacked.
The proliferation of mobile devices and laptops, as well as the lack of security awareness in many businesses and organizations, allow cyber criminals to commit fraud undetected until years after the fact.
Many of the nation’s biggest cases of fraud, he said, were detected only after years of operation and hundreds of millions of dollars of losses.
Also helping the criminals is the willingness of Americans to share volumes of personal information publicly on websites. Consumers and customers, he said, are the “weakest link” in protecting data.
“What people don’t understand is the second you get on the Internet, you’re in a very high-crime area that is totally unpoliced.”
And government agencies don’t help because they rarely share information, operate in “silos” and fail to link crimes and incidents of fraud. He compared the typical government response to the carnival game “Whac-A-Mole,” in which agencies go after each crime without looking for patterns.
He and Henderson, whose firm sells analytical software to detect fraud, urged agencies to cooperate more, to find ways to analyze data bases they have on hand, to share data and to hunt for the organizations that are preying on government programs.
They said many agencies currently employ a reactive approach, what Swecker calls “pay and chase” because many pay benefits and then look to see if any fraud has occurred.
“I think we can do a better job,” he said. “Go hunting for them as opposed to waiting to be a victim.”
He said that hunt begins with increased awareness by everyone in an organization, especially its executives.
“Most programs don’t want to admit they are vulnerable,” he said. “It’s not an admission of weakness. It’s just the system.”