On Tuesday, Gov. Nikki Haley admitted that there was more the state could have done to protect its residents ahead of a September security breach of state Department of Revenue servers that compromised the personal information of 5.8 million people listed on electronically-filed South Carolina tax returns dating back to 1998. In the wake of the lapse, Revenue Director James Etter tendered his resignation to the governor.
The findings of an investigation by data forensics firm Mandiant were delivered in a three-page bullet-point review that detailed how and when a hacker, suspected to be operating overseas, was able to gain access to and retrieve over 74GB of data from over a dozen state servers over the course of a few days in mid-September. The firm suspects that the attacker employed a common phishing scheme which tricked at least one Department of Revenue employee into clicking a link in an email sent by the hacker, which in turn transmitted the employee’s security credentials. Exploiting the employee’s access privileges, the hacker then logged-in using off-the-shelf remote-access software that let the attacker take over the workstation and access taxpayers’ personal information.
Though records show the hacker accessed state servers at least five times before Mandiant was contacted on September 10, nearly a month after the initial phishing emails were sent, no data theft occurred until September 13. By September 20, the state had implemented short term security measures to detect similar subsequent attacks, and has not found any evidence of malicious activity since that time.
The investigation allowed the state to determine exactly whose data was compromised in the attacks, and that everyone affected will be contacted, either by mail or email if they have already registered with credit monitoring firm Experian.
Haley, a Republican, took the opportunity to issue calls for federal reform of how states handle sensitive tax data, including upping minimum federal standards to require the encryption of Social Security data, which she said, along with “1970 equipment,” was one of the contributing factors to the state’s vulnerability to a breach of this nature. Haley had previously said that there’s nothing the state could have done to prevent the attack, drawing criticism from her colleagues in the Statehouse.
The governor did not elaborate on what kind of “1970 equipment” is handling state tax records since 1998.
In all, the attack affected 3.8 million individual state taxpayers, 1.9 million dependents, 699,900 businesses, 3.3 million bank accounts, and 5,000 credit card accounts (all of which, officials say, are now expired). The U.S. Secret Service is heading up the deeper investigation, SLED Chief Mark Keel says, and the state is cooperating with the inquiry.
Outgoing Dept. of Revenue Director James Etter will be replaced at the end of the year by Bill Blume, director of the S.C. Public Employee Benefit Authority.
The state now shifts into “cyber plan mode,” says Haley, who says government agencies will now treat internet threats like hurricanes, with periodic review of preparedness measures and policies.