The state agency hit by hackers has not completed security measures suggested after the theft of S.C. tax information belonging to 6.4 million consumers and businesses, lawmakers learned Thursday.
They also were told the S.C. Department of Revenue received an alert that 22 of its computers had been infected after an employee clicked an email link in August. The alert, from the state budget board’s Division of State Information Technology, included suggested solutions. The Revenue Department followed one of them and used software to clean infected machines.
“It was a practice that worked before,” Revenue Department executive deputy director Harry Cooper told a House committee investigating the breach. “It’s a practice that we know now did not work, and we have changed the practice substantially.”
The malicious program released from the email link stole passwords used to access tax data.
Lawmakers are trying to learn what led to the nation’s largest hacking at a state agency and how to secure data. The hacking has cost $20 million with at least another $16 million requested for breach-related work in the new state budget.
Mandiant, a computer forensics firm hired by the state for $750,000 after the breach, suggested in November the Revenue Department encrypt data, install dual passwords systems and compartmentalize data. But none of that has happened, Cooper told the committee.
The agency will finish adding a dual-password system by the end of the month, he said. The system is costing about $12,000, said Dale Brown, the agency’s acting chief information officer.
An encryption contract could be signed this week and work would take another 90 days – or more than six months after the breach, Cooper said. Encrypting servers will cost about $5 million, he said.
Segmenting information to thwart theft will be done when data is encrypted, Cooper said.
Last week, a Revenue Department computer security administrator who left the agency in 2011 told the committee that his boss, a former chief information officer, did not make security a priority. Scott Shealy also said his security duties were split among overtaxed workers after he left.
But Cooper told the committee Thursday that “security is a big deal” at the Revenue Department: “It was not like the job was abandoned, and no one was doing the work.”
Agency executives never received suggestions to encrypt data sitting in servers, Cooper said. The Internal Revenue Service requires encrypting data in transmission only.
Shealy said he suggested encryption to the former chief information officer, who left before the breach was detected. The data stolen was not encrypted and was accessible easily to thieves.
“We thought we were doing what was appropriate to provide security,” Cooper said.
Department leaders did not have discussions about best practices for computer safety until after the breach, Cooper said.
“That does not make me feel any better,” said state Rep. Andy Patrick, R-Beaufort, who sits on the hacking committee.
Hackers stole personal financial information, including Social Security and bank account numbers, from 3.8 million taxpayers with 1.9 million dependents in September. Thieves also took data for 700,000 businesses.