“Credit card numbers themselves end up being sold in batches of 1,000, 10,000, 100,000 in online underground forums and just being passed around the world,” said Michael DuBose, a former chief of the U.S. Justice Department’s computer crime section.
Social Security numbers are sold in the same way, said DuBose, who now works for international cybersecurity company Kroll.
The hacked personal income tax returns included Social Security numbers and about 387,000 credit and debit card numbers, 16,000 of which were not encrypted. The hacker also took data from as many as 657,000 business filings.
During DuBose’s tenure, the Justice Department handled some of the nation’s biggest computer theft cases.
“I used to say that maybe the best protection you have as a credit card holder is the fact that there are so many credit card numbers being traded out there on the underground forums that, just with the pure numbers, it makes it less likely yours will come up,” said DuBose, who declined to comment specifically on the South Carolina case.
Authorities have said the hacker used an international IP address, but DuBose
said that might be deceptive.
“If you trace an IP address, which may make it appear it’s coming from eastern Europe, that may just be a proxy being used by someone on the other side of the world,” he said.
A Federal Trade Commission attorney said the selling and trading of stolen information makes it virtually impossible to trace an identity theft case to any particular security breach.
“The reality today is consumers’ information is all over the place. You have no idea whether it was due to a particular hack or if somebody else picked up the information,” said Steven Toporoff, an attorney for the FTC’s division of privacy and identity protection. “It’s difficult to trace back and very difficult to predict a timeframe.”
Why would an international hacker target a small state in the American South?
“The reality is that hackers will go after low-hanging fruit before they go after victims that are harder to breach in many cases,” DuBose said. “Systems that are not as well protected as others are going to be more vulnerable because hackers don’t necessarily want to spend the time or the effort.”
Much criticism has arisen about the South Carolina information not being encrypted.
Best practices would require personally identifiable information to be encrypted both in transmission and in archiving, DuBose said.
“If you no longer need data stored on a system but you may need access at some time in the future, you can archive it to a removable media and take it offline,” he said. “As a principle, if you don’t need the data day to day, you should either get rid of it or put it on a removable media or a lockdown, secure server.”
Archiving it in such a way does make access for the agency more cumbersome.
“It’s an inverse relationship between accessibility and security. The more accessible you make it, the less secure it’s going to be,” he said.