According to security firm Mandiant, the attack was most likely caused by an employee who "unwittingly executed malware, and became compromised" after clicking an email link.
Once the attacker had legitimate credentials, the report states, he or she logged in via a remote access service and obtained more account passwords. Now with access to many accounts, the attacker was able to look around the state's systems during the following weeks and by Sept. 12, the attacked had gained access to databases of personal information. Before the state sealed its servers from further outside access, the attacker logged in to 44 state systems.
The initial data breach occurred on Aug. 13, but the breach was not identified until Oct. 10, when the Secret Service informed the state that the information of three residents appeared to have been stolen. Questions of why it took the state so long to identify such a thorough breach of security and who should accept the blame for such a breach have different answers.
The state blamed the Internal Revenue Service for not mandating that the state encrypt social security numbers. Others blamed recently resigned South Carolina Department of Revenue Director Jim Etter, who declined an offer for free breach-detection services from the state's IT department.
A report detailing the attack is below:
Open publication