COLUMBIA, SC — A $25,000 dual password system likely would have prevented hackers from stealing state tax data belonging to 6.4 million consumers and businesses from the S.C. Department of Revenue, a special state Senate subcommittee investigating the data breach was told Wednesday.
I almost fell out of my chair, Sen. Kevin Bryant, R-Anderson, co-chairman of the cyber-security breach subcommittee, said after the hearing. For $25,000, we wouldnt be here.
A computer security firm hired by the state told senators that hackers would have been thwarted by requiring Revenue Department employees to log-in twice once with a password that changes every minute.
Dual passwords are required by the Internal Revenue Service for agencies, such as state tax departments, that access federal tax records remotely, but the S.C. Revenue Department did not install the system until after the breach. The password system is costing $25,000, agency director James Etter told senators.
The subcommittee also heard that the Revenue Department looked at encrypting data at least twice in the past six years before hackers stole unencrypted state tax data in September. Those efforts went nowhere, though the agency now is encrypting tax information, including Social Security numbers.
Wednesdays hearing was the first held by the special four-member Senate subcommittee looking into the hacking incident, widely believed to be the largest ever nationwide at a state agency.
Hackers stole the information of 3.8 million taxpayers plus 1.9 million listed dependents and nearly 700,000 businesses. Thieves also nabbed bank-account data from 3.3 million taxpayers. Data taken dates back to 1998. In the aftermath, Etter is resigning at the end of the year.
SLED director Mark Keel said Wednesday he is unaware if hackers have misused any information obtained during the data theft.
While taxpayers worry whether thieves will empty their back accounts, file false tax returns or open bogus credit cards, the state is paying more than $14 million in an effort to fix the damage, including signing a $12 million contract with Experian for taxpayers to get a year of free credit-report monitoring. The state also has hired public relations and law firms. The Revenue Department also is reallocating an additional $5 million from its budget to pay to encrypt data.
Government dropped the ball, Bryant said.
Encrypt or not
The Revenue Department considered encrypting data in 2006 but balked at the $5 million price tag. It instead chose to follow IRS standards that do not require encrypting tax information in servers, Etter said. The IRS requires encrypting data in transmission.
The department also sought $14.4 million this year for new computer system upgrades that would have included encryption. But that request was cut by House budget writers, Etter told senators.
State Rep. Gary Simrill, R-York, who chairs the House budget subcommittee that oversees the Revenue Department, said, Today is the first that I have heard of this project being linked to data security, and the departments ... request did not include any mention of security. He said lawmakers have raised the agencys budget by 21 percent since 2009 and would be willing to pay more to better protect taxpayers.
The agency only encrypted credit-card numbers.
Marshall Heilman of the computer security firm Mandiant, hired by the state after the hack, said he would have recommended encrypting all tax data.
In addition to encryption, Heilman cited the lack of a dual-password system as making it possible for hackers to access the Revenue Department files. An IRS publication requires all local, state and federal agencies that can access federal income tax data remotely to use a dual password system. A Revenue Department spokeswoman did not say why the agency was not following the rule, saying only the employees whose information was stolen to access the computer system did not have access to federal tax records.
Etter also told senators his agency did not have a computer security chief for nearly a year until August because it could not attract candidates for the post, which paid $100,000 a year, about half of what the private sector pays.
During most of that period, the departments chief information officer, Mike Garon, doubled up, also filling the security role. But, Garon left the agency in September for reasons unrelated to the hacking.
Bryant said the was upset the Revenue Department left the security job open for so long without asking for help from lawmakers: How many banks go 11 months without a security guard?
At the hearing, Etter declined to discuss the agencys security before the hacking, saying that would be telling thieves, Here are the keys to the front door. Come on in.
Bryant asked what made the revenue agency an attractive hacking target, adding: If I were a criminal, I would go to the house that wasnt locked.
Etter replied, I dont know why he picked us, suggesting other states might have been hacked too but have not discovered the thefts.
Wire transfer that wasnt
Gov. Nikki Haleyhas ordered the 16 Cabinet agencies that report directly to her to subscribe to a state-sponsored network monitoring service and use a program from Mandiant that shuts down computers infected by viruses or uploading an unusually large amount of files.
Mandiant will share security suggestions with the state this week as part of $700,000 in work it is doing for the state, Heilman said. A review of computer systems before the hacking would have cost about $200,000, he said.
The hacking appeared to start when a Revenue Department employee clicked on a link in an email confirming a wire transfer that appeared to come from inside the agency, Heilman told senators. That click appeared to allow the hackers to get the employees username and password and, later, those belonging to employees who had greater access to agency computer systems.
The agency could not have spotted hackers as they entered the systems 10 times over nearly three weeks before stealing the data because they were logging in with approved employee credentials, Mandiants Heilman said.
The Secret Service informed the state of the breach on Oct. 10 about a month after the data was stolen.
The Senate subcommittee plans to meet next week and issue a report before the legislative session starts in January.