Public Sector Case Study In November 2012, South Carolina state officials disclosed a massive data breach at the Department of Revenue. Few details on the breach were disclosed. But it involved exposing more than 3.6 million taxpayers’ personal information records and 650,000 business tax–related records. The breach occurred in September 2012. It’s clear that massive amounts of personal information were stolen. A former top official with the FBI estimated the cost to the state at more than $350 million, based upon past FBI experience, including the cost of offering free credit monitoring to affected individual taxpayers and businesses.
The root cause of the breach cited in news reports was the lack of mandatory security policies across 100 state agencies, boards, commissions, and colleges and universities.
All state agencies have some type of computer security system in place. It’s fair to assume they all have some level of security policy in place. But it is clear these policies were discretionary. That meant an approach to information security across state government that was at best inconsistent. Nor did the state appear to have a comprehensive approach to sharing best practices for information security or for coordinating response to these types of data breaches.
In the case of the South Carolina Department of Revenue, the policies clearly were neither adequate nor consistent. Additionally, reports indicate the source of the hack was in Eastern Europe. The hacker or hackers gained access through a phishing e-mail. Phishing e-mails try to trick a user to open an e-mail and execute a link or program with malware. Security awareness is a strong control that educates users on how to protect themselves from such attacks, including how to recognize such attacks and why not to open suspect links. If a phishing e-mail was a source of the attack, it might be an indication that the security awareness program at this state agency was inadequate
write a paper not more than 300-400 words on the following
- Do you think that the attack could have been prevented? If so, how? Alternatively, if you disagree that the attack couldn’t have been prevented, provide your analysis as well.
- What is your takeaway from the attack? And how does it prepared you to prevent future attacks in your organization?
- All papers must adhere to APA format. Please, don’t forget to use double spacing, and create in-text citations before making any references.