WASHINGTON — Gov. Nikki Haley on Wednesday for the first time accepted personal blame for a massive cyber-attack that stole the Social Security and bank account numbers of millions of South Carolinians, saying she should have done more to ensure the data’s security.
Haley briefed the state’s congressional delegation on the hacking into S.C. Department of Revenue computer servers by digital thieves, who pilfered the tax returns of 3.8 million state residents and 700,000 businesses going back to 1998. The thieves gained access to the Social Security numbers and bank accounts of the taxpayers and also information on 1.9 million dependents.
Haley faulted the federal Internal Revenue Service for failing to make clear that being in compliance with its rules doesn’t require encryption — a method of storing data that protects it — but, she added, as the state’s top executive officer, it was her responsibility to know that.
“I, ultimately, am saying that South Carolina is at fault for not doing this,” Haley said. “I should have asked the extra question. I should have said, `Does this include encryption?’ ”
Before updating the state’s federal lawmakers, Haley addressed a closed meeting of the Republican Governors Association, where she said she warned governors and business leaders of hacking threats.
“What I’m going to do is go and educate all my governors and say, `Don’t settle for the IRS saying you’re compliant because what they aren’t telling you is their rules are archaic,’ ” Haley said at a news conference. “They’re not saying that being compliant doesn’t include actually encrypting those numbers, and no governor knows that right now. And so we’re working hard to get that out there.”
In a recent letter to the IRS, Haley called its cyber-security standards outdated and asked the agency and all states to encrypt taxpayer data in servers. The IRS said in a statement last week that it used “a variety of safeguards — including encryption.”
The hacking began in late August after an unidentified S.C. Department of Revenue employee clicked on a link in an email, which installed dangerous software — called “phishing malware” — on the employee’s computer.
The data thieves used the malware to obtain the employee’s login and password for accessing electronic tax returns, and then downloaded the returns over the next seven weeks, until a Secret Service probe stopped the operation.
U.S. Sen. Lindsey Graham, R-S.C., said the episode demonstrates that protecting the computers at federal agencies and private businesses must be a national security imperative.
“One of the things that keeps me up at night — besides the Iranians getting a nuclear weapon — is a major cyber-attack against our national-security infrastructure: our power plants, our chemical plants, our aviation systems, our financial systems,” Graham said. “The threat is real. Terrorists are trying to hit us every day (as well as) China, Russia, hostile nations.”
Andrew Shain of The State contributed to this article