South Dakota
Table of Contents
- Identity Theft Statistics
- Top Ten Report Categories
- Top Identity Theft Types
- Fraud & Other Reports by Metropolitan Area
- South Dakota’s Recent Biggest Data Breaches
- What Should You Do if You Are in a Breach?
- Step-by-Step Process for Responding to a Data Breach
- Responsibilities of Companies that Have Been Breached
- Laws
- Resources
Data breaches occur when unauthorized individuals unintentionally or deliberately access confidential data. Data breaches result from weaknesses in user behavior or the use of outdated programs in computer security systems. Over the past few years, South Dakota's public services and infrastructure agencies have been targeted by hackers searching for citizen data amassed in information technology systems. In the past two years, four member counties and cities of the South Dakota Public Assurance Alliance (SDPAA) have suffered data breaches. The hackers who cause these cyber attacks compel the affected local governments to send them thousands of dollars to recover control of their IT systems.
Identity Theft Statistics
Reports
Reports
Losses
Top Ten Report Categories
Top Identity Theft Types
South Dakota's Recent Biggest Data Breaches
Data Breach Suffered by the Fryn' Pan Restaurant
Fryn' Pan, a family restaurant situated in Sioux Falls, South Dakota, experienced a cyber attack between July 8 and October 8, 2023. The restaurant's owners were unaware that hackers had infiltrated the company's computer systems on July 8. United States Secret Service personnel contacted the restaurant and informed its owners that hackers had gained access to the Fryn' Pan computer network and may have viewed their customers' data. The Secret Service personnel elaborated that the hackers may have accessed the customers' card account numbers, card expiration dates, issuing banks, physical addresses, and names. Upon receiving this information, Fryn' Pan Restaurant immediately contacted customers who paid for orders between July and October 2023 using cards. These customers were advised to notify the bank that issued their banking cards if suspicious activity was detected in their banking accounts.
SiegedSec hackers target South Dakota Boards and Commissions
In 2023, the South Dakota Boards and Commissions' website was hacked and defaced by a hacker group called 'SiegedSec'. The South Dakota Boards and Commissions website is a portal that allows citizens to access data on commissions like the South Dakota Real Estate Commission, South Dakota Banking Commission, and South Dakota Board of Technical Professions. SiegedSec, which describes itself as a politically-motivated hackers group, did not make any demands of the South Dakota Boards and Commissions. The hackers compromised citizens' capacity to log in to the South Dakota Boards and Commissions' website for a few hours until security experts corrected the situation. A South Dakota Bureau of Information and Telecommunications representative observed that the hackers did not access confidential information but merely delayed ordinary operations for a few hours.
Sanford Health Data Breach
South Dakota's Sanford Health system oversees 158 nursing and rehabilitation facilities, 233 senior living communities, 224 clinics, and 46 hospitals. In 2023, Sanford Health's imaging vendor partner, DMS Health Technologies, experienced a cyber attack between March 27 and April 24. The data breach granted the hackers unauthorized access to more than 20,000 patients' insurance information, names, dates of service, exam types, and physicians' names. Sanford Health swiftly engaged an experienced IT security team to solve the issue and informed federal law enforcement about the breach. Sanford Health and DMS Health Technologies also publicly announced the data breach days after it happened. Sanford Health offered free monitoring services to patients whose data had been compromised. It also discussed its intention to implement better security measures to deal with evolving data threats.
Brown County Data Breach
In 2021, Brown County's computer network suffered an outage after one of its workers opened an email link with malware intended to extract data for extortion purposes. The data breach prevented the county's employees from accessing vital information needed to perform their jobs for more than a week. Brown County officials shut its server down to prevent the hackers from accessing employees' details and Social Security numbers. Brown County's 911 services were not affected by the data breach. Moreover, many of Brown County's departments could not use email communications, order new vehicle tags, or access their database. The hacker was unable to access Brown County employees' Social Security numbers or financial information. Following the data breach, Brown County officials admitted that their network had antiquated servers. They began to use antivirus software and implemented additional security measures to prevent similar data breaches in the future.
Cyber Attack on the South Dakota Department of Public Safety (DPS)
South Dakota's DPS Fusion Center, which holds COVID-19 patient data, is hosted by the web development service 'Netsential.com'. In 2020, Netsential experienced a data breach that exposed information held by the DPS Fusion Center. This data included patients' physical addresses, names, and COVID-19 test status. The data breach, which happened on June 19, impacted thousands of South Dakota's citizens. The DPS Fusion Center disclosed this breach to the public on August 17. The DPS Fusion Center asserted that the Netsential breach did not compromise patients' passwords, Social Security numbers, or financial information. Moreover, it admitted that the breach enabled unauthorized third parties to use Netsential labels on DPS Fusion Center files to identify citizens as being COVID-19 positive. Both Netsential and the DPS Future Center later stressed that they had implemented enhanced security measures to prevent similar threats in the future.
What Should You Do if You Are in a Breach?
Unfortunately, data breaches are pretty common now, considering our online connections and dependence on digital service delivery. Criminals work in the shadows to steal your personal information, so sometimes, it's only when you notice certain signs that ongoing fraud becomes apparent. These danger signs apply to both individuals and businesses.
Unfamiliar
Credit Card Charges
If you find unauthorized transactions on your credit card, there is a significant possibility your phone number, email address, or card number has been compromised.
Calls from
Debt Collectors
Phone calls or letters from collection agencies seeking debt payment for a loan you do not remember taking are also signs of identity theft.
New Credit Cards
or Loans in Your Name
A new line of credit in your name or a loan taken is a warning sign you are a victim of identity theft.
Surprise Credit
Score Drops
Sudden credit drops with no obvious cause are a sign of suspicious activities.
Unusual Activity on Your
Social Security Account
The federal government also considers social security numbers personal identifiers, so check your social security statement regularly to ensure no one has access to benefits without consent.
Inability to
Sign-in to Accounts
If you are locked out of the account, it is usually because someone has hacked into it and changed the password. You should immediately try all possible recovery options and contact customer support if all fails.
Step-by-Step Process for Responding to a Data Breach
Contact Local Law Enforcement
As an individual or a business, report the incident to the police and file a police report.
Assess and Secure Compromised Areas
Identify which aspects of your information have been affected, such as emails, passwords, credit card numbers, social security numbers, full names, and phone numbers.
Contain the Breach
Isolate the affected system to prevent further damage.
Create New, Strong Passwords for All Accounts
This may involve changing usernames and passwords for compromised platforms, using strong passwords with a mix of upper and lower-case letters, digits, and special characters.
Notify Affected Institutions
Inform your bank, credit card companies, and other affected institutions. Request they close or freeze any accounts that may be implicated in the breach to reduce financial risk.
Update Security on Digital Accounts
Change passwords for all accounts affected by the breach. Make sure each password is totally unique, and you use two-factor verification as an additional layer of security.
Check for Malware
Examine your computers and mobile devices for installed malware. Install robust antivirus software to detect and remove any viruses or malicious software.
Freeze Your Credit
In cases of identity theft, contact all credit bureaus to freeze your credit.
Monitor Your Mail and Credit Reports
Keep an eye out for any unauthorized changes in your mail.
Engage Legal Assistance When Applicable
If you are a business, consider hiring a law firm experienced in handling data breaches.
Responsibilities of Companies that Have Been Breached
South Dakota's state regulations mandate that business organizations inform their customers within 60 days of experiencing a data breach. Delaying in telling clients about cyber security incidents that compromise personal information is only permitted where law enforcement officials assert that doing so may obstruct criminal investigations. Business institutions must inform the South Dakota Attorney General when more than 250 citizens are affected by the data breach. Under South Dakota state regulations, personal information may include driver's license numbers, health insurance data, Social Security numbers, banking account passwords, credit card numbers, user names, email addresses, and debit cards. South Dakota regulations mandate that businesses notify residents of data breaches through electronic or written notices. Organizations may issue substitute notices on their websites or media outlets if the cost of notifying individual customers surpasses $250,000. If a business refuses to abide by these laws, South Dakota's Attorney General could impose a fine of up to $10,000.
Laws
- S. D. Codified Laws §§ 22- 40 establishes the regulations that business entrepreneurs and organizations are to use when a data breach is detected. Based on this Statute, business organizations in South Dakota must report any unauthorized acquisition of personal data to their customers within 60 days. Under this law, personal information includes a driver's license number, identity cards, health information details, debit and credit code details, email addresses, routing numbers, and passwords. Organizations must inform South Dakota's Attorney General when they experience data breaches that affect 250 or more persons. Additionally, they must inform consumer reporting agencies not later than 60 days after discovering the data breach.
Resources
- Chapter 7: Breach notification, HIPAA enforcement, and other laws and requirements
- Codified Laws
- COVID-19 Data Breach in South Dakota under FBI investigation
- DMS Technologies health data breach grows
- Hacks of Govt websites reportedly protest anti-Trans Legislation
- Officials: Cybersecurity crucial for South Dakota counties
- Sioux Falls Fryn' Pan cyber security breach.