COLUMBIA, SC — Overseas hackers who stole S.C. tax information belonging to 3.6 million people used state-approved computer credentials to access the state Department of Revenue database, the agencys director said Tuesday.
About 250 Revenue Department employees have credentials to access taxpayer records, agency director James Etter said during a Senate Finance Committee hearing.
He declined to say whose credentials were used by the thieves or whether the passwords were stolen or sold by an employee. Etter, along with SLED Chief Mark Keel and Gov. Nikki Haley, declined to discuss much about the investigation, which is being run by the Secret Service.
Haley suggested Tuesday that the hackers, who stole the data in September, took advantage of a communications system used by Revenue Department offices across the state.
This is someone who figured out how to get into the conversation, she said at a news conference. Its incredibly sophisticated. This is not something that happened on a day-to-day basis. This is absolutely bizarre in nature.
A contractor scanned the Revenue Departments computer systems, which include two firewalls, in September and October, and found no vulnerabilities, Etter said.
Obviously, that was not the case, he told senators.
The massive data theft, affecting anyone who filed a state tax return since 1998, has jarred South Carolina. Hackers grabbed access potentially to any information contained on a tax return, the S.C. Department of Revenue said. That includes Social Security numbers and bank account data used to route direct deposits of refunds.
Worried consumers have bombarded state agencies, lawmakers and the governors office with calls for help since the breach was revealed Friday. More than 310,000 taxpayers have signed up for credit monitoring and up to $2 million in ID theft insurance for one year with Experian. The cost will be paid by the state.
S.C. taxpayers and their children who were victims of the data breach also will receive free lifetime credit-fraud resolution, Haley said. Experian will resolve ID-theft issues, such as eliminating bogus credit-card accounts from credit histories, even if they are not related to the Revenue Department hacking.
Industry analysts say stolen data can be used years after the theft as the information is sold among crooks, who want to obtain bogus credit cards and loans under victims names or empty their bank accounts.
However, Haley said experts she consulted said the stolen information most likely would be used within eight months.
The cost of the theft is becoming more clear.
Experian capped the states cost for providing the a year of monitoring and lifetime theft resolution at $12 million, Haley said. The governor said Monday that the one-year coverage might cost about $8 a person, or $28.8 million if all 3.6 million taxpayers affected signed up.
The state also has paid $125,000 to Mandiant, a consultant recommended by the Secret Service to repair data-technology gaps and install security measures.
South Carolina also hired the Nelson Mullins law firm to assess liability issues, Haley said. No cost figures were available for the legal help.
Where the money to pay for repairing the data breach will come from remains a question.
The Experian contract would represent almost 30 percent of the Revenue Departments $41.7 million in state funding this year. Senate Finance chairman Hugh Leatherman, R-Florence,. said the governor and Revenue Department need to request money to pay the contract from the Legislature, which does not have $12 million on hand to spend.
Haley said again Tuesday that she has no plans to discipline anyone in what is by far the states largest hacking incident in the past seven years.
There was not one thing or one person at the Department of Revenue that could have avoided this hack, she said. Everybody wants to blame someone for this and everybody wants to go after someone for this. And what you need to remember is, there is a criminal overseas that has done this.
Etter faced a barrage of questions from the Senate Finance Committee, which held the first legislative hearing on the incident since the data hacking was revealed to the public on Friday.
The agency director was asked Tuesday about the 16-day delay between when the Secret Service told state officials about the breach on Oct. 10 and when the public was told.
During their investigation, authorities learned the hackers accessed the Revenue Departments computer system in August but did not take taxpayer information including nearly 400,000 credit-card numbers until September.
The Revenue Department needed time to see if it could catch the crook and fix the security hole actions that Etter said saved taxpayers from more harm though he did not say how.
Senators were unhappy that much of the information, including Social Security numbers and other taxpayer information, was not encrypted.
Etter, who was appointed last year after Haleys election, said he did not know why the information was not encrypted when computers were installed years ago. But he said the agency is in the process of encrypting data. He said just four of 19 states that responded to a recent information request said they encrypt tax information.
Im not worried about other states, Leatherman responded. Im worried about South Carolina taxpayers.
Senators also said they were worried about businesses, which Revenue Department officials have said were not involved in the breach.
They asked Etter to make sure. I cant go back to my constituents and say, Trust me, said state Sen. Harvey Peeler, R-Cherokee.
Toward the end of the two-hour hearing, Etter received information that some state tax identification numbers for businesses had been exposed. He said his department will work on a fix. The department already has suggested that single-person company owners who use their Social Security numbers on business tax returns should enroll in the Experian monitoring program.
Senators questioned why the state could not automatically enroll people in the Experian program, especially the elderly and those without computer access. Etter said the state had to be sensitive to people who might not want to register over privacy issues.
Oh, bull feathers! Privacy issues, my foot, state Sen. Phil Leventis, D-Sumter, shot back at Etter. Theres no privacy here. Theres 3.6 million compromised numbers, and youre telling me that youre going to allow people to be victimized? They are the ones who end up holding the bag. We ought to be the ones that end up holding the bag.
State Sen. Kevin Bryant, R-Anderson, said Experian should be paying the state for providing the free year-long ID theft service.
They are going to get a ton of business at the end of this year because most people are going to want to keep the protection, he said. Were doing a wonderful thing for Experian by giving them all these customers.