State senators spent nearly two hours grilling the director of South Carolina’s tax agency Tuesday. However, lawmakers were clearly frustrated when Department of Revenue director James Etter repeatedly said he could not go into specifics about how more than 3.6 million Social Security numbers were stolen from the agency’s database.
“I’m totally dissatisfied with (these) answers,” Sen. John Matthews (D-Bowman) said as the hearing came to a close, echoing the sentiments of many on the Senate Finance Committee.
Following several questions from senators, Etter revealed for the first time that business identification numbers used for tax purposes were exposed in the breach. He said the business credit information company Dun & Bradstreet Credibility Corp. has a monitoring service that his agency would look into. Meanwhile, the agency is in the process of changing each business’s number. Etter said he had just learned the news from staff and would give more details later. He did not clarify which types of businesses (such as LLCs, S-Corporations, and sole proprietorships) would be affected.
That did not sit well with Sen. Harvey Peeler (R-Gaffney). “That’s not an acceptable answer,” he told Etter, “That’s not acceptable. I can’t go back to Gaffney and tell my small businesses, ‘trust me.'”
Right now, South Carolinians whose Social Security numbers were affected can enroll in a free credit monitoring program offered by Experian for 12 months. After that, the state will continue to pay for the victim’s lifetime credit protection that would not include the monitoring service. Governor Nikki Haley told reporters earlier Tuesday that the state had negotiated a $12 million deal for the service. Etter said his office would try to reach a similar arrangement with Dun & Bradstreet for South Carolina businesses.
Finance Chairman Sen. Hugh Leatherman (R-Florence) tried to keep the questions away from the ongoing investigation into the hacking, knowing that Etter was not authorized to answer them. However, some more information about the breach was revealed.
Etter told senators that, in order to access the database, the hacker would have needed Department of Revenue credentials. 250 people have special, individual credentials, he said. The director said he did not know how the hacker got those credentials. When asked by Sen. Greg Ryberg (R-Aiken) if the agency knew which employees’ credentials were used, Etter responded, “I don’t want to comment on that at this point.”
Many senators indicated that they did not think the Department of Revenue was doing enough to get the word to South Carolinians affected by the breach. Sen. Phil Leventis (D-Sumter) questioned why taxpayers had to take action on their own when it was the state that had allowed the data to be stolen.
“The idea that we have made all of these people whose numbers have been compromised eligible is not terribly responsible,” he said during the hearing, “We’ve put an obligation on people that is based on a failure of ours.”
Leventis asked Etter why the Department of Revenue could not act as a “go-between” for taxpayers with Experian, since many people would not know how to enroll in the program on their own. The director repeatedly answered that doing so would violate privacy concerns, since some taxpayers may not want Experian to access their personal information.
Leventis finally snapped, “That’s bullfeathers! Privacy issues, my foot! There’s no privacy here, there’s 3.6 million compromised numbers.”
Etter did agree with Sen. Yancey McGill (D-Kingstree), who suggested that the agency use some of its accountants to help people sign up for the free protection.