What about That 2012 Data Breach?

November 30, 2015

Investigative Reports

Print Friendly, PDF & Email

Data

Fears of data breach grew government; impact negligible

When the massive data breach of 2012 exposed a system of information technology weaknesses and lax electronic security measures at the Department of Revenue, the state acted promptly to secure professional services and consumer identity protection that has cost taxpayers $50 million so far and counting.

Now three years removed, what has been the result of the information stolen from the estimated 6.4 million residents and businesses?

Nothing outside the normal range of complaints going back to pre-breach levels, according to the South Carolina Department of Consumer Affairs, which monitors both identity theft and financial identity fraud statewide.

The consumer affairs website defines both cases broadly. “Identity fraud occurs when a person uses the identifying information of another person to obtain employment or avoid identification by law enforcement or another governmental agency,” it states, while “financial identity fraud occurs when someone uses the financial resources of another person without authorization or permission.”

The biggest fear in the wake of the 2012 data breach was the theft of personal information to be used to engage in identity and financial fraud.

That simply has not yet come to pass.

In August, the Department of Consumer Affairs reported that the Federal Trade Commission’s Consumer Sentinel Network Data Book ranked South Carolina as No. 30 nationally in number of identity theft complaints, the largest category of complaints that agency receives. For all of 2014, the agency received just 3,540 complaints of identity theft. Florida, ranked No. 1, received 37,059 complaints by comparison. Neighboring Georgia (No. 5 at 11,384) and North Carolina (No. 27 at 7,334) both had considerably higher percentages of identity theft complaints.

Prior to the breach, South Carolina reported 3,168 cases of identity theft in 2011 (ranked No. 20 nationally per capita by the FTC) and 4,282 in 2012, the year of the breach (No. 17 nationally per capita).

Since 2008, seven million South Carolinians have been affected by data breaches across governmental, retail and food service, healthcare and financial service sectors, with an estimated 5.97 million coming from 2012 data breach alone.

“We haven’t seen what we feared we might,” said Department of Consumer Affairs spokesperson Juliana Harris. “That’s good news. It doesn’t mean we won’t at some point, but we haven’t yet.”

Financially, the cost of the breach to taxpayers has been significant. Immediately following the breach, the state spent $12 million with credit bureau Experian to protect citizens. An additional $11 million came in FY 2013-14 as the state began implementing recommended upgrades across state government, including the launch in October 2013 of an ID Theft Unit within the Dept. of Consumer Affairs that collects scam reports from consumers, assists identity theft victims and educates consumers, according to Consumer Affairs spokesperson Juliana Harris.

For FY 2014-15, the state spent $27 million on, among other things, an additional year of consumer protection and funding for a 21-person information security division and associated technology and equipment.

Conservatively, South Carolina has spent around $50 million since 2012 fighting an attack that came as the result of someone opening a phishing email and which has yet to produce any noticeable uptick in financial fraud or identity theft cases. What’s more, since the majority of that money was spent on studies to better improve cyber security ($3M to New York-based firm Deloitte and Touche), the resources (people and technology) to implement them and post-theft consumer protection for anyone whose identity has been compromised as a result of the breach, one cannot argue that the money spent has been responsible for the information not being used but only has increased the size of state government and, according to outside experts such as security analyst Sang Lee, helped bring a sub-standard security system up-to-date.

“The bulk of the money, as you can see, is being used for security operations that the state should have had before the 2012 data debacle,” Lee wrote in a blog about the breach.

At least some of the money spent has returned to the state. Following the awarding of the 2013 contract to Deloitte and Touche, that firm turned around and contributed the maximum amount to the re-election campaigns of three members of the Budget and Control Board who approved the contract – Gov. Nikki Haley ($3,000 in April 2014), Rep. Brian White ($1,000 in April 2014) and Sen. Hugh Leatherman ($1,000 in January 2015). Of interest: In December 2014, Deloitte itself was hacked and its internal salary information made public as part of the attack on Sony Pictures.

Reach Ron at 803-254-4411 or email him at ron@thenerve.org. Follow him on Twitter @RonAiken and The Nerve @TheNerveSC.