South Carolina revenue chief steps down following data breach

South Carolina Governor Nikki Haley admitted that state officials did not do enough to prevent a data breach that exposed the personal data of nearly 4 million individual filers and 700,000 businesses in the latest known attack on state computers. The breach led to the resignation of Department of Revenue Director Jim Etter, effective Dec. 31. The state hired Mandiant, a computer security firm to audit the breach and recommend ways to prevent future attacks.

For weeks, Governor Haley said nothing could have been done to prevent the attacks, but the report shows conclusively that state officials were lax in their approach to cybersecurity. According to the report, state revenue system computers didn’t encrypt individual social security numbers or require now common dual factor authentication before accessing sensitive data. The Governor is blaming antiquated state computers and IRS guidelines for the slip, although Haley’s administration failed to include provisions for technology improvements to this department throughout her own tenure.

Hackers are believed to have taken data extending as far back as 1998 and the Governor has told all 4 million individuals and businesses effected by the breach to assume that their full data file was taken, including social security and credit card numbers. The attack is currently believed to be the largest such attack on a state computer system in history and follows another previously reported on by this website in Utah earlier this year.

Taxpayers included in the attack will be notified by a letter sent to their homes and may also be eligible for subsidized credit monitoring in the year following the attack. According to the report, hackers involved in the attack installed password capturing software on six servers that allowed them to gain broad based access to state computer systems, capturing information and moving copies to their own file systems.

“Could South Carolina have done a better job? Absolutely, or we would not be standing here,” Haley said in releasing a report from Mandiant. Haley is now moving more personnel into state IT shops under the guidance of Mandiant and will be examining further responses. The breach has so far cost the state $14 million, projected potential cost to effected taxpayers on top of that for monitoring and repairing their credit reports is unknown but could be in the millions depending on how attackers choose to use that information.