SC DOR Hack was Completely Preventable

From my latest article:

First off, let’s look at the political side of this. Why does the state have so much of our personal information in the first place? Aren’t we afforded privacy protection against the state by our natural rights, and by our Constitution? The answer is obvious: the income tax. In order to run a state-wide income tax administration, the state government must collect personal information from each taxpayer, including our social security number, address, family information, etc. One shockingly simple way that this hack could have been prevented is if the state would have implemented a consumption-based taxing scheme.

With a consumption based tax system, the government doesn’t have to collect private information from each citizen, and we don’t have to fill out tax return forms that detail our every activity and strip us of all of our privacy. Instead, we would simply pay a sales tax at the point of sale, which would be anonymous.  It still isn’t a perfect world, but at least the government would respect a little bit more of our rights, and we wouldn’t have to rely on them to keep our information safe. In fact, here in South Carolina, we could eliminate the business income tax and the personal income tax, and keep the current sales tax at the same level, simply by eliminating the sales tax exemptions. Imagine the money that would have been saved at the SC DOR, not having to keep track of, or keep secure, all of those tax records. But I guess that would have been too easy.

So now onto the harder part, the technical stuff. There are several obvious reasons Haley’s assertion of “nothing could be done” is just plain wrong:

1. Encryption of sensitive information is simply standard practice in the IT world. Encryption wouldn’t have prevented the hackers from getting into the network, but it would have meant that all of the information they stole would have been entirely useless to them. Most modern encryption schemes aren’t “hack proof,” but they are so complex that unauthorized decryption would take millions of years. Also, while not an “easy” thing to do, an experienced computer design team could quickly develop an encryption scheme for the data, and you can even find some that are pre-developed with a quick Google search.
2. The state of South Carolina already has enhanced network monitoring, but the SC DOR refused to participate in the program.
3. There is absolutely no reason for 250 people to have login credentials that provide them the level of access that would allow this kind of theft. Pretty much every information system out there today is designed with an architecture that provides data storage separately from the user interface. People who enter data into the system should only have restricted access to this interface, and anyone who is able to run a report that shows multiple records should require enhanced access. Finally, there should be absolutely no way for  a user to get file level access and simply copy all of the information.
4. The network where this information resides should absolutely not be accessible from the open internet. Any Cisco CCNA or other network architect can tell you that sensitive information needs to be segmented away and cut off from the outside world as much as possible. If a Virtual Private Network connection was used, then the question is: does the SC DOR need remote access to such private information? I think not.
5. Finally, the recent revelation that “anything that would be on a tax return” is potentially compromised, combined with the announcement that businesses had their tax returns stolen, leads me to believe that the hackers may not have stolen information from a database, but might have actually gotten digital scans of personal (and business) tax returns. I have no confirmation of this, but if true, it means that the hackers don’t only know identifying information, but they know detailed personal behavior and property ownership information. If you are a small-business person that files your business taxes on your personal return, then they know how you operate your business, what suppliers you spend your money with, what all of your expenses are, etc. Long story short: it is unthinkable that these files would just be sitting around on a network for any of 250 people to grab, not to mention hackers. If the state needs to scan these documents in for data entry and/or archiving, then they should be immediately stored in encrypted, password protected archives.

In conclusion, this security breach is yet another epic failure of government, and should be expected by any modestly intelligent person who observes the way governments behave. This is an illustration of why it is dangerous to “trust” the government. We need to take steps now to remove the government’s access to our privacy so that we can prevent these types of things in the future, seeing as how the government failed to take any of the obvious steps available to them.