S.C. hacking: What’s known and not, three weeks later

ashain@thestate.comNovember 17, 2012 

Details remain sketchy more than three weeks after S.C. officials revealed hackers swiped state tax information belonging to as many as 4.45 million consumers and businesses.

With Gov. Nikki Haley expected to release an investigative report this week, here is what is known – and not – about the massive hacking attack and the latest on what is being done to prevent another cyber attack:

What do we know about what happened?

Not much.

Hackers duped an employee into opening a file with a program that allowed them to get log-in credentials to the department computers. The hackers probed the computers, starting in late August, before swiping the information in mid-September. The Secret Service told the state about the theft on Oct. 10.

Do we know what the thieves took?

Not exactly.

The state has not released information on what was stolen or from how many people. Haley said to be safe anyone who filed S.C. taxes since 1998 should assume anything on their tax return is in the hands of hackers. That encompasses 3.8 million consumers and 657,000 businesses. The hackers also snagged nearly 400,000 credit cards numbers.

What could the thieves do with the tax information?

Practically anything.

They could get credit cards and loans, receive medical care and empty bank accounts. They have information to identify the most lucrative targets, experts said. Hackers could net $360 million if they empty bank accounts belonging to only 1 percent of affected consumers and businesses, a former FBI agent said last week.

Has anyone’s information been used?

No one knows.

Thieves could wait a year or more to strike. And even if a crook uses some taxpayers’ financial information, pinpointing it to this theft will be difficult.

What kind of computer protection did the Revenue Department have?

The agency used some of common security measures – two firewalls, email and website filters, and periodic virus scans. The department also hired Trustwave to check computer system security periodically to ensure the agency was in compliance with regulations on handling credit cards. Both measures failed to prevent or detect the theft.

Could the Revenue Department have taken other steps?

It seems so.

The department just partially used the Division of State Information Technology’s free network-monitoring service. While that would not have stopped the breach, the state might have learned about the large amount of uploaded data sooner. The revenue agency also did not encrypt tax information sitting in servers. Other state agencies encrypt that information. The S.C. Department of Motor Vehicles, for example, says it encrypts driver’s license data. Revenue officials say most state tax agencies don’t encrypt data in servers, but security experts insist South Carolina should have taken all measures to protect data.

Has anyone lost their job for the breach?

No.

Initially, Haley said no one was to blame. Now, says she will wait until she sees investigative reports.

What is being done?

Now, a lot.

The Revenue Department is encrypting data and using a special program nicknamed “The Hand” that will shut down computers infected by viruses or malware or uploading an usually amount of data. The department also is reviewing whether to reduce the number of employees who have access to its records from its current 250. Meanwhile, all 16 state agencies that report directly to Haley will start using The Hand program and receive round-the-clock monitoring from the Division of State Information Technology. Haley said she would like other state agencies to follow suit.

Doesn’t anyone coordinate computer security among state agencies?

No, but look for that to change.

State agencies are allowed to handle their own computer systems. The Division of State Information Technology must market its services just like private-sector firms to state agencies. Last week, Haley ordered her 16 cabinet agencies to follow the state Information Technology division’s security procedures. The state Inspector General is working with chief information officers at all state agencies on a plan to improve and coordinate computer security. The state Senate also has formed a committee to investigate the breech and lawmakers likely will introduce bills to centralize state agency computer technology.

How much is the breach costing the state?

Nearly $14 million and counting.

South Carolina will pay Experian $12 million to provide a free year of credit monitoring to taxpayers. The state also is shelling out an estimated $741,000 to inform up to 1.5 million out-of-state residents who filed S.C. taxes since 1998; an estimated $500,000 for computer security firm Mandiant; $500,000 for five state agencies to program their computer systems to sync with the state Information Technology center; $160,000 for public relations firm Chernoff Newman to coordinate a news conference and place ads to consumers; and an estimated $100,000 for outside legal help from Columbia’s Nelson Mullins law firm.

How can the state spend all this money?

The Revenue Department can’t pay the bills without severe cuts. The expenses represent about a third of the agency’s annual budget of $41.7 million. No word yet how lawmakers will cover the tab, but they need to decide soon. Experian is scheduled to get two $6 million payments on Dec. 15 and Jan. 31.

Did the state seek bids for the credit-monitoring contract?

Kind of.

To have a place for taxpayers to contact when the hacking was revealed, the Revenue Department said lawyers quickly sought bids from three companies – Experian, Citreas and Identity Force. No details have been released about the bids. The department said: “Experian appeared to be the vendor best suited to the nature and size of the breach.” Plus, Experian provided similar credit monitoring when information belonging to more than 228,000 S.C. Medicaid beneficiaries was exposed this spring. But the chief executives of Citreas and Identify Force told The Associated Press they never heard from South Carolina officials. (Note: Experian and Dun & Bradstreet Credibility Corp. are offering business’ credit monitoring at no cost to the state.)

Why then were hotlines jammed in the first days after the breach was announced?

The contract between the state and Experian was signed in the hour before a news conference announcing the breach. Experian was working to get operators ready before the contract was signed, the Revenue Department said. Still, phone lines were hammered with people trying to get a code needed to enroll for credit monitoring online. Experian doubled operators to about 300, and the state released the online access code to the public. Haley bizarrely blamed reporters for tying up the phone lines. In an email, Experian suggested people felt compelled to call immediately because the Jan. 31 enrollment deadline was not mentioned at Haley’s initial news conference. Wait times have dropped since.

The Herald is pleased to provide this opportunity to share information, experiences and observations about what's in the news. Some of the comments may be reprinted elsewhere in the site or in the newspaper. We encourage lively, open debate on the issues of the day, and ask that you refrain from profanity, hate speech, personal comments and remarks that are off point. Thank you for taking the time to offer your thoughts.

Commenting FAQs | Terms of Service