Several weeks ago, South Carolina was the victim of what some experts believe to be the largest cyber-attack against a state tax department in history. Approximately 3.6 million personal South Carolina income tax returns were exposed, and nearly 657,000 businesses compromised, in an international hacking attack.

Coincidentally, SAS and the SC State Treasurer had planned a fraud detection and prevention symposium for Nov. 13. SAS has similar events all over the country. Attendance numbers vary, but never have we seen turnout like this. Nearly 300 people attended, including a substantial media presence. It’s understandable. Citizens are naturally concerned when something like this happens.

The media coverage of the breach and the SAS event, including stories in USA Today and broadcast coverage on ABC Columbia, WSPA (CBS) and WLTX, seeks to explain how this could happen and what can now be done to detect and prevent future attacks.

The hard truth? The attackers are likely highly-organized criminal operations. Their schemes and technology are very sophisticated, and always evolving. Chris Swecker, the former No. 3 official at the FBI, joined me, State Treasurer Curtis Loftis and State Inspector General Patrick Maley at the event. From the GreenvilleOnline story that ran on USA Today.com:

“Swecker said financial fraud is the dominant crime of this millennium.

Much of the fraud, he said, is being committed by sophisticated professionals who are technically savvy and operate out of Eastern Europe and Russia.

Those organizations, he said, ‘make the Cosa Nostra look like Boy Scouts.’

The professionals are systematically looting organizations, including governments, because there is low risk at being caught or prosecuted and there are high rewards, he said.

Financial fraud is a $220 billion annual business, Swecker said, including an estimated $37 billion in damages from identity theft.”¹

Analytics can help detect and prevent these sorts of attacks, as well as help detect future attempts to use the information stolen during the attack for financial gain. Traditional controls use business rules and basic anomaly detection. As fast as we plug the gaps, the criminals exploit new ones. Using advanced anomaly detection and predictive modeling, we can more rapidly identify aberrant behaviors. Social Network Analysis can identify connections between individuals to uncover organized crime rings.

Thwarting these criminals requires an enterprise approach where departments and agencies share a common technology layer with common investigative capabilities. So, if I’m investigating someone from tax fraud who happens to be a Medicaid provider, the investigation can be coordinated between the two departments. For example, one customer I talked to manually cross matched tax fraud investigation info with Medicaid investigations and found an 85% overlap. The fact is, bad people do bad things across the spectrum.

Traditionally, each program has its own fraud unit and data. The criminals do not look at state governments that way. They take a holistic view and attack across departments and programs. Our efforts to thwart them should follow suit.

1. "Lack of security policy cited in S.C breach", by Tim Smith, Greenville Online, Nov. 14