A SINGLE LOST PASSWORD was all it took for personal details belonging to 3.8 million South Carolina taxpayers to be exposed.
The leak, which also affected around 700,000 businesses, is covered in a report from Mandiant (PDF), an information security company, and was introduced by Governor Nikki Haley at a press conference.
Haley apologised for the breach, saying that the South Carolina Department of Revenue could have done a better job. She said "we had 1970 equipment" that when presented with IRS compliance was "a cottontail for attack". "We should have gone above and beyond what we did," she added.
Haley added that only people who had filed returns electronically are affected, and there is the suggestion that could include anyone who filed after 1998.
She said, "We know how exactly who they were," saying that they would be contacted and offered information about identity protection soon.
The leak happened, said Mandiant in its report, because someone clicked on an untrusted link in email. Doh. "August 13, 2012: A malicious (phishing) email was sent to multiple Department of Revenue employees," it said.
"At least one Department of Revenue user clicked on the embedded link, unwittingly executed malware, and became compromised."
An attacker who had taken a login and a password then started a five week period of intrusion and would snoop about, copy data from databases and install his own backdoors.
Mandiant said that during this period three systems had database backups or files stolen from four different IP addresses. The attacker created 15 encrypted zip files that when decompressed would yield approximately 74.7GB of data.
It said that the files were a mix of encrypted and unencrypted data, adding that while the intruder took an encrypted version of the data encryption key, there was no evidence that the actual key was taken too. µ