COLUMBIA, SC — A computer chief at the S.C. Department of Revenue did not heed warnings about cyber-security shortcomings at that state agency before hackers stole personal financial data belonging to 6.4 million consumers and business, a former agency employee told lawmakers Thursday.
Former agency computer security administrator Scott Shealy also blamed his job remaining open for nearly a year and a decision to spread security responsibilities among overtaxed employees after his departure for leaving gaps that contributed to the breach.
There was a lack of oversight in the day-to-day operations that potentially could have spotted (the hacking) and stopped it, Shealy told a special House committee investigating the breach.
The state has spent $20 million to repair what is considered the nations largest-ever hacking of a state agency. But the price tag is expected to grow as more S.C. agencies request money for improved cyber-security. Lawmakers and state budget officials have no estimate on the incidents final cost, saying they are awaiting recommendations from a yet-to-be-hired security consultant.
Whatever the price tag is, thats what we need to pay, state Sen. Harvey Peeler, R-Cherokee, told reporters during a legislative preview Thursday. Its the governments responsibility.
Shealy testified his boss at the time, chief information officer Michael Garon, did not make security a priority. Garon did not follow suggestions to encrypt data or require use of dual passwords to gain access to data in Revenue Department computers, Shealy said.
The unidentified hackers stole unencrypted data. Dual passwords could have thwarted the theft, an expert hired by the state said.
(Garon) felt what we had been doing for quite some time was adequate, and we did not need to take additional measures, Shealy, 42, said during testimony where his voice and hands often shook.
Garon left the Revenue Department in September, a departure that the agency has said was unrelated to the hacking. The breach was not discovered until the following month by the Secret Service.
Efforts to reach Garon were unsuccessful Thursday. The House hacking committee would like Garon to testify.
Former Revenue Department director Jim Etter, who left the agency last week, became the fall guy for the breach, Shealy said.
The Revenue Department did not address Shealys accusations in a response.
As an agency, we are focusing on what we can do in the future to help prevent similar occurrences, the department said in a statement.
Shealy said he left the agency after four years in September 2011 out of frustration. His job was not posted until March 2012 and not filled until August, the department said.
In the meantime, Shealy said his security team within the Revenue Department was disbanded and given additional responsibilities. Shealy said agency employees called him at his new job at the S.C. Judicial Department to find out the password for the Revenue Departments firewalls.
In an effort to save pennies, we are going to spend millions in taxpayer dollars, said House Minority Leader Harry Ott, D-Calhoun, a member of the House hacking committee.
Since the hacking incident, the state has spent $8 million to install security upgrades, send notifications to affected taxpayers and hire computer, legal and public relations experts.
The state has paid Experian $12 million to offer a year of credit-report monitoring to 3.8 million taxpayers whose personal financial information was stolen from the Revenue Department. Offering a second year of monitoring is under consideration. Experian wants to charge $10 million for that second year.
State Sen. Kevin Bryant, R-Anderson, who chairs a hacking special committee, wants the state to provide assistance for a longer period since information belonging to 1.9 million dependents also was stolen meaning infants could face identity-theft risks for their lifetimes.
We have a 90-year-old problem, he said.
Hackers appeared to access the Revenue Department computers through a program released after an employee opened a malicious email in August, according to a report from computer forensics firm Mandiant. Thieves probed agency servers for three weeks before uploading files in September with tax information, including Social Security and bank account numbers.
Shealy said he took news of the breach at the agency he protected for four years personally.
I felt like if there was the possibility that my tenure there would have continued, he said, this could have been prevented.