August 1, 2014

Tax agency’s former CIO “flabbergasted” hack wasn’t discovered

The man who was responsible for overseeing the computer systems at the South Carolina Department of Revenue has accepted at least some responsibility for failing to stop a hacker from accessing more than 3.6 million Social Security numbers in an agency database last fall.

Former Dept. of Revenue CIO Mike Garon testifies to a House subcommittee Thursday

Former Dept. of Revenue CIO Mike Garon testifies to a House subcommittee Thursday

Former Chief Information Officer Mike Garon told a House panel Thursday he was shocked to think that staffers responsible for monitoring the system did not notice the illegal activity for nearly two months. He said such a massive transfer of data should have been noticed within 48 hours.

“I’m amazed,” he said, “I’m just flabbergasted that we didn’t discover it.”

Garon said he was forced to resign on September 21— which is roughly a week after investigators say a hacker had secretly copied millions of Social Security numbers from SCDOR databases. Revenue officials insist his resignation was a coincidence since they did not actually learn about the hack for another few weeks. Garon said Thursday he was forced to resign after being accused of abusive behavior and for committing to a new technology plan without his superiors’ knowledge. It was the first time either Garon or SCDOR officials had offered a public explanation for what happened.

Former Department of Revenue director Jim Etter resigned late last year. Etter has previously said the agency first learned about the breach from federal officials on October 10.

Partway through the meeting, Rep. Jim Merrill (R-Charleston) asked Garon who he thought was responsible for “this debacle.” Garon waited about seven seconds before answering, “Many, many processes… You want a person and I will not pick out a person.”

Merrill then asked, “Are you responsible?”

Garon answered, “There are many procedures, policies— and people who are responsible for those— that are accountable. Am I accountable for some element of this? Yes.”

AUDIO: Listen to exchange between Merrill and Garon (0:36)

An investigation found that the hacker was able to gain access into the SCDOR network after at least one employee unintentionally opened malicious software in an email. Garon said he does not remember the specific “phishing” email, but said he believes officials responded under the normal procedures.

Garon criticized his former superiors for focusing on multiple projects at the same time that the agency was trying to transition to a new integrated tax system. He said Etter and Deputy Director Harry Cooper gave other projects a higher priority and increased the security issues. “We needed to focus on one system. When you’re working on multiple systems, it’s high-risk… I mean it’s risk to security. It’s risk from the standpoint of problems occurring in the system.”

Lawmakers questioned if the security division’s small staff was stretched too thin. Garon’s IT division had an especially high turnover rate. “It seemed to be quite a problem,” Rep. Laurie Funderburk (D-Camden) said, “You were down a number of staff members in your department. Specifically, the security officer position was vacant for a year.”

Previous security officer Scott Shealy left the agency in September 2011, saying he was frustrated in his efforts to better protect sensitive information stored on SCDOR’s network. After Thursday’s meeting, Shealy told reporters that Garon’s personality was a big reason why his division had such a high turnover rate. “His management style was very abusive. Employees were reluctant to take concerns higher up the chain for fear of retribution… That’s the reason there was high turnover.”

Shealy said he worries that, once he left, his former boss divided the security and monitoring duties among several staffers and contractors who were brought in due to staff shortages. He said he thinks those employees were focused too much on their primary jobs and missed the warning signs that their system had been compromised.

By the end of the meeting, several legislators were questioning the “bizarre” coincidence that led to Garon being terminated only a week after the information was stolen. Merrill and Rep. Harry Ott (D-St. Matthews) even proposed a “hypothesis” suggesting that others at the agency were aware of the breach, but kept it under wraps so they could deal with it internally. When that failed, Merrill theorized that Garon was scapegoated.

“It seems that we have, in this hypothesis, a situation where somebody could have had knowledge of this and then started to plug the leak, trying to take care of it internally,” Merrill said, “And then, it sort of exploded until October 10, when the Secret Service got involved… and it became public knowledge.”

The panel’s chairman Rep. Bruce Bannister (R-Greenville) said staff would talk to SCDOR and the firm which investigated the breach to determine why employees did not notice or report any suspicious activity on the computer logs.