When it comes to the massive data breach at the state Department of Revenue, a lot of South Carolinians have heard about it and don’t think enough was done to stop it, a survey finds.
Three of four South Carolinians said the state government did not have adequate protection when hackers stole financial data belonging to 6.4 million taxpayers, children and businesses, according to exclusive Winthrop University poll questions asked for The State.
The survey questions also found more than nine out of 10 South Carolinians had heard about the hacking – an unusually high number based on typical news-gathering habits, Winthrop political scientist Scott Huffmon said.
The hacking incident could come back to haunt the political fortunes of first-term Republican Gov. Nikki Haley.
Haley’s approval rating – at 38 percent among the almost 1,000 South Carolinians surveyed – is even lower among those who thought the state failed to protect personal data such as Social Security numbers – dropping to 35 percent, according to the poll.
Meanwhile, Haley’s job disapproval mark – 41 percent among all surveyed – jumped to 46 percent among those unhappy with how the state protected the information.
Huffmon said some of the increased negativity thrown at Haley might not be because of her job performance with the breach. “I’d say it is more likely for those who disapprove of Haley to assign blame for failing to adequately secure the data to the ‘South Carolina government’ for whom Haley is the public face,” he said.
However, political consultants say the hacking represents the biggest crisis of Haley’s two years in office and could define her re-election bid in 2014 if she decides to run.
Haley is contending with people who are upset that it took the state 16 days, after it first learned of the breach, to tell the public and about facts changing at press briefings. Initially, for example, the governor said nothing could have stopped the hackers and no businesses information was stolen.
“It’s hard to tell if we’ve heard the end of the hacking story,” Columbia-based political consultant Steve Fooshe said.
‘I’m sorry’ not enough
Thieves swiped Social Security numbers and other sensitive data belonging to 3.8 million taxpayers with 1.9 million dependents as well as nearly 700,000 businesses in mid-September. The hacking of the mostly unencrypted data is thought to be the largest-ever nationwide at a state agency.
The significant show of concern about the hacking incident in the poll means state officials need to come up with a proportional response, Huffmon said.
“They need to make a big show about beefing up security,” he said. S.C. residents “will need to know how their data will be protected in the future. A simple ‘I’m sorry’ won’t be enough.”
Haley has not apologized, but she now says the state could have done more to protect sensitive financial data. She also has blamed Internal Revenue Service regulations that did not require that states encrypt tax data resting in computer servers.
“Gov. Haley certainly counts herself among the 74.6 percent of South Carolinians who think the state was not providing state-of-the-art computer security,” her spokesman Rob Godfrey said. “South Carolina was way behind, and we’re fixing it as quickly as we can.”
The state has taken several steps, costing $20 million so far, to safeguard information and to help people whose Social Security numbers and other data were swiped.
The Revenue Department is spending $5 million to encrypt tax information. More than 900,000 taxpayers also have signed up for a free year of credit monitoring under a $12 million state contract with Experian. The state Senate and S.C. House also have appointed special investigative committees to look into the breach that could propose legislation to improve security.
“I see this as a huge failure on the part of South Carolina,” said House Minority Leader Harry Ott, a Calhoun Democrat who is vice chair of the hacking committee. “I do not believe enough has been done.”
State Rep. Dwight Loftis, a Greenville Republican who is a member of the hacking committee, said, for the third straight year, he plans to introduce a bill to make the state chief information officer, in charge of state computer systems, a cabinet-level job. State agencies individually run their own computer operations now.
“Maybe it will get some more attention this time,” Loftis said.
Other measures could include outsourcing some computer security work to get the latest expertise, Loftis said. “Yes, it’s expensive, but how much does the hacking cost all those people?”
‘This affects everyone’
The number of South Carolinians with some knowledge of the breach was higher than Huffmon expected, based on the estimated 40 percent of people who do not regularly watch the news or get their news from cable television, which does not regularly cover state issues.
About 73 percent of those polled said they were very or somewhat familiar with the breach. Another 18.5 percent said they heard about the cyber attack but did not know the details.
Only 8.3 percent of respondents had no clue that hackers might have stolen their tax data.
“When you have people who are not following general news knowing about this, you’re going to need to address this in a meaningful way,” Huffmon said. “This is not some arcane policy. This affects everyone.”
Letters to consumers and businesses notifying them of the breach should start going out this week. Those letters will include alerts for the 3.3 million taxpayers whose bank account numbers were exposed because that routing information had been used to get direct deposit of refunds. The data stolen dates back to 1998 but affected only tax returns that were filed electronically.
Winthrop surveyed 929 respondents from Nov. 25 through Dec. 2. The poll has a margin of error of plus or minus 3.5 percent.