Largest-ever US public sector cyber attack is warning on the criminal value of customer credentials

Parkview, (PresseBox) - The recent, and largest, cyber attack ever on a state government in the US, shows that attacks on third-party credentials - which can be used in identity theft frauds - are becoming more and more commonplace.

The problem, says Andy Kemshall, chief technology officer at SecurEnvoy, is that public sector organisations in the US have a lot of identity information on citizens in their database, including payment card details.

"US credentials such as the person's social security number, name, address and payment card details, are pure gold when it comes to identity theft information, which has now become a global cybercriminal commodity business," he said.

"The South Carolina state computer system hack is notable for the volume of data - 3.6m social security numbers and 387,000 credit plus debit card credentials - that were stolen, and which can be used by cybercriminals to create cloned payment cards and apply for credit plus bank accounts in the victim's name," he added.

Even with a conservative $3.00 rate per card information set, that means the cybercriminals could grab more than a million dollars for selling on the credentials they stolen in this data theft, he explained.

More than anything, the SecurEnvoy CTO says, this highlights the immense profits that can be derived from a short period targeting and hacking a public sector computer system, after conducting reconnaissance using an automated set of hacking tools to probe likely IP addresses on the Internet.

And coming against the backdrop of the NHS having lost 1.8 million sets of patient records in the last year (Source: Daily Telegraph -, he notes, there is a big question mark hanging over the security of government systems, which could be targeted in a similar fashion to what is happening in the US.

The NHS, he adds, has come in for understandable criticism for its data losses over the years, as have several councils, but given the fact that the government - at both local and national levels - is short of money in these straightened times, IT professionals in the public sector clearly do not have the security resources that are available to the private sector.

Given the widespread ownership of mobile phones - with almost every adult now carrying one in their jacket pocket or purse - Kemshall says there is a strong argument to harnessing the mobile as a means of authentication when accessing data on a public sector computer system.

This is what security experts call tokenless two-factor authentication (2FA) and secures an IT interaction with 'something you have' (the handset) and 'something you know' (the challenge authentication data) across an easy-to-use system (the mobile network.

"Implementing tokenless 2FA using a mobile is a very easy and low-cost way of securing access to large data repositories in the public sector, both with employees and members of the public, where appropriate. This contrasts with the relative insecurity of conventional ID/password credential-based systems," he said.

"We call this BYOT - Bring Your Own Token - and means that organisations gain access to a secure authentication methodology without all the expense and administration involved with hardware tokens, but still retaining all the convenience and security," he added.

For more on SecurEnvoy:

For more on the largest-ever US public sector cyber attack:

Press releases you might also be interested in

Weitere Informationen zum Thema "Security":

Kernschmelze der CPU-Sicherheit

Die bei­den Si­cher­heits­lü­cken Melt­down und Spect­re ha­ben die IT-Welt in Aufruhr ver­setzt. Bis­lang sind zwar kei­ne kon­k­re­ten Fäl­le nach­ge­wie­sen, bei de­nen die Schwach­s­tel­len au­ßer­halb der for­schen­den Com­muni­ty aus­ge­nutzt wur­den, aber die be­kannt ge­wor­de­nen CPU-Si­cher­heits­lü­cken ver­un­si­chern ei­ne gan­ze Bran­che. So wie es aus­sieht, ist ein Pra­xis­nach­weis näm­lich gar nicht mög­lich.


Subscribe for news

The subscribtion service of the PresseBox informs you about press information of a certain topic by your choice at a choosen time. Please enter your email address to receive the email with the press releases.

An error occurred!

Thank you! You will receive a confirmation email within a few minutes.

I want to subscribe to the gratis press mail and have read and accepted the conditions.