Governor Nikki Haley’s office released a preliminary report Tuesday of the recent cyberattack on the South Carolina Department of Revenue. Haley made public the report by the cyber security firm Mandiant at a Statehouse press conference.
Haley admitted that the state “did not do enough” to protect against hackers. She said South Carolina’s database was in compliance with Internal Revenue Service (IRS) standards, but that compliance does not include encrypting Social Security numbers in a state database.
“Should we have done more? Yes. We should’ve done more than we did. We should have done above and beyond what we did,” Haley said. The governor said her office sent a letter to the IRS warning of the potential weakness for other states and federal agencies that do not encrypt sensitive data.
Mandiant finished its report last week. The firm revealed that 3.8 million people who filed electronically were compromised, along with 1.9 million dependents who were listed on those filings. Haley said only those who filed their taxes electronically were affected.
“I want to stress, this was only electronic filers,” the governor told reporters, “So anybody that filed by paper does not have to worry about this breach.” She added that, while anyone who had filed since 1998 should sign up for free credit monitoring from Experian, most of the stolen data appeared to be from 2002 or later.
Nearly 700,000 businesses, 3.3 million bank accounts and 5,000 expired credit cards were also compromised in the breach, according to the governor. Those affected by the security breach will be notified either by the state or by Experian, if they have signed up for the protection. So far, more than 843,600 people have signed up for a free credit monitoring service offered by Experian under a $12 million contract with the state.
Mandiant investigators believes the hacker sent a malicious email to some Department of Revenue employees in August. When one employee clicked on the link, it allowed the hacker to steal that person’s username and password. Mandiant says the hacker then used that employee’s credentials to remotely access the employee’s workstation and later the Revenue Department’s servers.
For about a week, the attacker perused through several different agency servers. The report then states that, on September 12, the hacker copied database backup files to a staging directory. A day later, the hacker began compressing approximately 74.7 GB of data into a smaller 8.2 GB. That allowed the suspected attacker to send the files to another online system elsewhere on the Internet, the report says. The hacker then deleted the backup files.
State Law Enforcement Division Chief Mark Keel said investigators could not comment if the compromised information was being sold by the hacker, citing the ongoing investigation.
As a result of the hack, Mandiant recommended that the Department of Revenue switch to a “two-factor authentification” to get on the database, meaning that the attacker would have needed more than just a password to access the database.