The contractor hired by the S.C. Department of Revenue to provide computer security focused on the agency’s compliance with rules governing the handling of credit-card information, not stopping malicious programs such as those that hackers used to steal the tax records of 4.5 million S.C. consumers and businesses.
The Revenue Department also had its own computer security system that ran periodic scans for viruses and malware that hackers could use.
Neither security effort prevented nor detected the massive theft, conducted using state-approved credentials, until state officials learned of the breach from the Secret Service a month after the data was swiped.
“As experts have stated, there is no way to be 100 percent secure. However, at the time of the breach, the department believed appropriate measures and safeguards were in place to protect taxpayer information,” Revenue Department spokeswoman Samantha Cheek said Wednesday.
While many questions remain about how the hacking occurred, Gov. Nikki Haley ordered more computer security Wednesday for the 16 state agencies that are part of her Cabinet.
The agencies will use the Division of State Information Technology’s computer network monitoring services, which can spot unusual uploads or downloads and malicious programs within minutes. The state will assign four employees to provide around-the-clock monitoring of computer systems – such as spotting inappropriate log-ins.
“What I have learned is that these international hackers are not going to do this from 9-to-5,” Haley said. “We need somebody in the office 24 hours a day monitoring those computers.”
Five Cabinet agencies will spend nearly $500,000 for equipment so their computer systems can be part of the Information Technology division’s 24/7 monitoring, the governor’s office said.
South Carolina also will get a program, nicknamed “The Hand” by Washington-based security firm Mandiant, that can shut down computers infected with viruses and malware or uploading large amounts of data. The cost for the $160,000 program will come from the U.S. Department of Homeland Security, Haley said.
Mandiant has a state contract, estimated to reach $500,000, to repair and investigate the hacking of the Revenue Department. The state also is paying for a public relations firm and outside legal advice at a cost expected to top $250,000.
In the past, state agencies have been able to decide on their own computer security measures. The state Information Technology division already works with 54 state agencies – about half the state’s total. Haley said she has encouraged other state agencies that are not under her control to follow her plan.
“This is my way of dealing with my (Hurricane) Hugo,” Haley said.
Before the cyber attack, the Revenue Department had partial state network monitoring but not at the computer struck by hackers. The agency did not use the state Information Technology division’s computer monitoring services because officials thought they were redundant of those being provided by Trustwave, a security contractor the Revenue Department has used since 2005 to ensure the agency could accept credit card payments, Cheek said.
The Revenue Department said Trustwave provides intrusion detection and vulnerability scans. The agency has spent $175,000 during the past three-plus years with the firm.
The department also uses two firewalls, periodic virus scanning, and web and email filtering as part of its security. Social Security numbers and other data were encrypted when in transit but were not encrypted when being stored in servers, where hackers struck, taking the information.
The Revenue Department began encrypting information, and started using state network monitoring and “The Hand” program soon after the state learned about the hacking on Oct. 10.
Haley hopes to release a report on the hacking investigation this week. Officials are unsure when taxpayers will know whose files were taken.