South Carolina state officials announced Friday evening that the social security numbers of some 3.6 million state residents and 387,000 credit and debit card numbers were exposed in a data breach. The SSNs were stored unencrypted, and while most of the credit cards were encrypted, some 16,000 card numbers were not.
South Carolina Governor Nikki Haley sounds angry:
“I want this person slammed against the wall,” she said, referring to the attacker as “an international hacker.” “I want that man just brutalized,” Haley said.
Yes, well. I want my SSN encrypted.
We come, alas, to a personal anecdote.
Once upon a time, I had a server that ran an application that stored card swipe numbers. Most of them were numbers generated by my employer, but some of them–my coworkers’ cards–were SSNs. This server was placed without my knowledge in an insecure location. (The AC went out, so they tied the door open.) When I found out, I tried to remove the server and was told I wasn’t allowed. One of the things I did do was to quietly go in and delete my coworkers’ SSNs out of the database. Including the SSN of the person I hold responsible for the situation.
You’re welcome, by the way. (I think this is the first time I ever told anyone I did that.)
I don’t blame Governor Haley for being angry. I’d be angry if I were a South Carolina resident, too. I would have been angry if someone messed with the server in the overheated, insecure location, but I would have blamed the people who told me to leave it there as much as the hacker. Encrypting PII (Personally Identifiable Information) wouldn’t have been complete protection, but at least it would have made it harder. Especially since people can’t opt out of paying their taxes on the grounds that they don’t trust the DOR to protect their data.
And, you know. Not to single out South Carolina. How secure is your state’s Department of Revenue?
Happy Halloween! Sleep well!