Over two months, hackers managed to gain access to the S.C. Department of Revenue computers and steal state tax data belonging to 6.4 million consumers and businesses. Mandiant, a Washington computer forensics firm hired by the state to investigate the incident, offered details Tuesday of how the hacking unfolded:
Aug. 13: Hackers send emails to several department employees with a link that contained malware. One employee clicks on the link unleashing a program that likely steals that persons username and password.
Aug. 27 and 29, Sept. 1-4 and Sept. 11: Hackers log into the department remotely and introduce more programs to help in their theft. They try to steal all the department passwords but use those from three additional employees, including some who have wide access to the computer system. The hackers install a backdoor and perform reconnaissance into department servers and the system that handles credit-card payments.
Sept. 12: Hackers copy and create 23 database backup files and leave them in a directory.
Sept. 13-14: The databases are compressed into 14 smaller files and moved onto Internet. A 15th compressed file has an encrypted version of the departments data encryption key. The hackers delete the copies left on department computers.
Oct. 17: A week after the Secret Service informs the state about the breach, investigators find the backdoor when the hackers check their connection to a department server.
Oct. 19-20: The security holes are closed. Investigators report no sign that the hackers have tried to pry into the system since.
By the numbers
S.C. Department of Revenue employee accounts used in the hacking
Internet addresses the hackers used
Times between Aug. 27 and Oct. 17 that the department computer system was accessed
Pieces of malicious software and utilities used
Revenue department systems attacked
Gigabytes of data taken