A $25,000 dual password system likely would have prevented hackers from stealing state tax data belonging to 6.4 million consumers and businesses from the S.C. Department of Revenue, a special state Senate subcommittee investigating the breach learned Wednesday.
“I almost fell out of my chair,” said S.C. Sen. Kevin Bryant, an Anderson Republican co-chairing the subcommittee. “For $25,000, we wouldn’t be here.”
A computer security firm hired by the state in the wake of the September breach told senators that hackers would have been thwarted by requiring revenue employees log-in twice -- once with a password that changes every minute.
The agency is spending $25,000 for this type of system, revenue department director James Etter told senators.
The subcommittee also was told the department looked at encrypting data at least twice in the past six years before hackers stole unencrypted state tax data in September.
The agency priced encrypting all data at $5 million in 2006 but chose to follow IRS standards that do not require encrypting tax information in servers, said Etter, who is resigning at the end of the year. The IRS requires encrypting data moving from office to office.
This year, the department sought $14.4 million for computer system upgrades that would have included encryption, but the request was cut by House budget makers, Etter said. House officials said they were unaware of any requests that included computer security measures.
The revenue department only encrypted credit-card numbers. Marshall Heilman, a director at computer security firm Mandiant hired by the state after the hack, said he would have recommended encrypting tax data, including Social Security numbers. The agency is encrypting all data now.
Bryant asked what made the revenue agency an attractive target for the hackers: “If I were a criminal, I would go to the house that wasn’t locked.”
Etter replied, “I don’t know why he picked us,” and then suggested that other states might have been hacked but not discovered the thefts.
Wednesday’s hearing was the first from a special four-member Senate subcommittee looking into the hack believed to be the largest nationwide at a state agency. Hackers stole information of 3.8 million taxpayers who have 1.9 million dependents and nearly 700,000 businesses. Thieves also stole bank account information from 3.3 million taxpayers.
Etter said the agency did not have a computer security chief for nearly a year because it could not draw candidates for a $100,000 salary -- about half of what the private sector pays.
The department’s chief information officer, Mike Garon, filled the security role, but he was left the agency in September for undisclosed reasons unrelated to the hacking.
After the hearing, Bryant said he was upset that the department left job open so long without asking for help from lawmakers, saying: “How many banks go 11 months without a security guard?”
Etter declined during the hearing to discuss the agency’s security measures before the hacking, saying that would be telling thieves, “Here are the keys to the front door, Come on in.”
Mandiant will issue security suggestions to the state at the end of the week. The company’s work will cost $700,000, Heilman said. A review of computer systems before the hacking would have cost about $200,000, he said.
The breach has proven costly.
The price to resolve the hacking have surpassed $14 million -- including a $12 million contract with Experian for taxpayers to get a year of free credit-report monitoring and hiring a public relations firm and outside lawyers.