This week marks one year since state officials revealed that a hacker got into South Carolina’s tax agency database and compromised over 3.8 million Social Security numbers.
While the hacker is believed to have accessed to the South Carolina Department of Revenue (SCDOR) system in September, state officials did not notify the public until an October 26 press conference (shortly after giving an interview to Columbia TV station WLTX). Any details about who was behind the cyber-attack (or if investigators even know the hacker’s identity) remain secret.
The Secret Service is continuing an “active” investigation into the hacking, according to a State Law Enforcement Division spokesman. But very little, if any, public information has come out of that investigation in the past 12 months. Most of the public’s knowledge has come from a forensic examination by the cyber-security consulting firm Mandiant. The Mandiant report, released last November, found that a hacker sent a malicious email to some Department of Revenue employees in August. When one employee clicked on the link, it allowed the hacker to steal that person’s username and password. Mandiant says the hacker then used that employee’s credentials to remotely access the employee’s workstation and, from there, the Revenue Department’s servers.
The report states the hacker copied database backup files to a staging directory. A day later, they began compressing approximately 74.7 GB of data into a smaller 8.2 GB. That allowed the attacker to send the files to another online system elsewhere on the Internet, the report says. The hacker then deleted the backup files.
Later legislative hearings discovered that SCDOR was also without its chief information security officer at the time and its chief information officer was forced out for “abusive behavior” shortly before the hacking was discovered. Former employees say SCDOR’s monitoring had been spread across too many staffers and subcontractors to be effective. SCDOR director Jim Etter resigned in the months following the hacking. Mandiant recommended dozens of changes.
Current SCDOR director Bill Blume says his agency has adopted Mandiant’s recommendations and has made other significant changes in security. Those include encrypting sensitive information on the agency’s servers, frequently-changing passwords, and no longer allowing employees to access the system off-site from their personal computers. However Blume says the primary change is altering the mindset of employees to make security a top priority. That includes yearly classes and training sessions.
“That seems sort of ‘Mom and Pop’-ish,” he told South Carolina Radio Network. “But… 70 to 80 percent of breaches come through an employee doing some sort of act. And it’s not always an intentional, bad act. It can just be going to a website (and triggering malware) or somebody getting an email.”
Democrats say they’re planning vigils around the state to mark the anniversary, calling Gov. Nikki Haley’s handling of the hacking a failure of leadership. SC Democratic Party chairman Jaime Harrison criticized the Haley Administration for waiting several weeks to notify South Carolinians about the breach. “It’s a huge issue not only to allow the hacking but to cover it up for two weeks,” Harrison told reporters in Charleston.
Haley insists SLED and the FBI wanted state officials to wait until October 26 as they conducted their own investigation.
So far, nearly 1.5 million South Carolinians have signed up for free credit monitoring from Experian. But Experian’s contract with the state ends next week. South Carolina officials have inked a new up to $8.5 million deal with CSIdentity to continue offering identity theft monitoring and insurance for an additional year. Residents can sign up for the new service beginning Thursday. Or they can keep their Experian service next year for an additional $12.
In the meantime, Blume said his agency is doing its best to prevent another breach. “We can never say that we won’t be hacked, and anybody who tells you that is not telling the truth.” He then added, only half-joking, “There are only two people in the world: those who’ve been hacked and know it, and those who’ve been hacked and don’t know it.”