Millions of Social Security Numbers Lost in Spearphishing Attack

Search Security reports that the South Carolina Department of Revenue’s systems were compromised by a spearphishing attack which exposed millions of Social Security numbers, bank account information and thousands of credit and debit card numbers.

Details of the attack are spelled out in a detailed incident report posted on the State of South Carolina’s website.  The attacker used a spearphishing email with a malicious link.  When the employee clicked on the link a series of unfortunate events unfolded.  First, the employee’s log-in credentials were stolen. From there, the attacker leveraged the stolen credentials in a series of clever moves that ultimately compromised a large numbers of servers over the course of two months.

South Carolina Governor Nikki Haley blamed the IRS for the compromise of 74.7 GB of data regarding over 3.8 million people, citing IRS policies that do not require the encryption of social security numbers.

We cannot comment on IRS policies.  We do think it is important to acknowledge that this attack was successful because a clever person used email to deceive another person.  This deception worked because it is easy to create compelling deceptive emails.  You can see how this is done at our posting Spearphishing – The Movie.   Spearphishers deceive by masquerading as trusted senders. SP Guard from Iconix provides the ability to distinguish real email from spearphishing attacks. You can contact us at 408-727-6342, ext 3 or use our online form.

Comments are closed.