My name is Nate Spurrier. I’m a South Carolina taxpayer, and therefore, a potential victim of the massive South Carolina Department of Revenue Breach. I work in the identity theft and data risk industry, so when I heard about how everything was being handled and what was being offered, I was upset.
When news broke that there had been a breach at the state's Department of Revenue, I knew the ramifications—to consumers, the government, and other agencies, would be severe. At this point in time, more than one month since the announcement of the Oct. 26 breach, state residents still don’t have answers. Let me give it to you straight.
The state Department of Revenue proved that it had not invested the proper amount of time and energy in security. It didn’t use basic safeguards to protect consumer data such as two-factor authentication, encryption, and employee training. The main cause of this breach was a spear-phishing attack. A spear-phishing email is typically sent to one individual and includes a link leading to a fake website requesting personal information such as a username and password. Sometimes, the recipient is required to download a file. These types of emails are sent every day. With basic knowledge and minimal training, most recipients learn to not click links from unknown senders and better yet, they definitely know to never provide username and password information.
At IDentity Theft 911, we say that you’re only as strong as your weakest link. With this in mind, businesses should ask:
- • Do I have the proper security measures in place?
- • Where are my potential vulnerabilities?
- • What may employees be lacking in terms of training and knowledge?
Encryption and two-factor authentication are standard with any business that maintains personal information, never mind a state’s tax agency.
So what’s next for state taxpayers? Probably some instances of identity theft. The government has shown how little it understands when it comes to data breach risks. Initially, one year of credit monitoring was offered. Not long after that announcement, questions started circulating about identity theft occurrences after one year. Since identity theft can cover a many areas (medical, financial, criminal, employment, tax, etc.) over a person’s lifetime, the government decided to extend the package indefinitely. Even worse, after the initial announcement of the breach, the government had to update the public with more bad news: Sensitive business information also had been exposed. From the perspective of an informed citizen, my confidence in our state government is low.
Here’s my advice: As a consumer, educate yourself on how to identify whether you’re an identity theft victim. We may not always have the power to control our personal information (how it’s stored, managed, and destroyed), but we can be aware of the warning signs of identity theft. Watch out for late payment notices, declined loan applications, etc. Ensure you’re actively managing all aspects of your identity portfolio, including credit reports, tax records, and medical records. While a credit monitoring package provides some protection, it does not prevent identity theft or even identify every form of identity theft.
Aside from the potentially lifelong issue identity theft can bring to a victim, the biggest issue is how little citizens understand the risks associated with this breach and how little the government has done to protect their own citizens.
Nate Spurrier is Director of Business Development for IDentity Theft 911.