Hacked SC agency still has not improved its security

They’re working through list of ways to protect data, but none have been implemented yet

ashain@thestate.comJanuary 10, 2013 

— The state agency hit by hackers has not completed security measures suggested after the theft of S.C. tax information belonging to 6.4 million consumers and businesses, lawmakers learned Thursday.

They also were told the S.C. Department of Revenue received an alert that 22 of its computers had been infected after an employee clicked an email link in August. The alert, from the state budget board’s Division of State Information Technology, included suggested solutions. The Revenue Department followed one of them and used software to clean infected machines.

“It was a practice that worked before,” Revenue Department executive deputy director Harry Cooper told a House committee investigating the breach.

“It’s a practice that we know now did not work, and we have changed the practice substantially.”

The malicious program released from the email link stole passwords used to access tax data.

Lawmakers are trying to learn what led to the nation’s largest hacking at a state agency and how to secure data. The hacking has cost $20 million with at least another $16 million requested for breach-related work in the new state budget.

Mandiant, a computer forensics firm hired by the state for $750,000 after the breach, suggested in November the Revenue Department encrypt data, install dual passwords systems and compartmentalize data. But none of that has happened, Cooper told the committee.

The agency will finish adding a dual-password system by the end of the month, he said. The system is costing about $12,000, said Dale Brown, the agency’s acting chief information officer.

An encryption contract could be signed this week and work would take another 90 days – or more than six months after the breach, Cooper said. Encrypting servers will cost about $5 million, he said.

Segmenting information to thwart theft will be done when data is encrypted, Cooper said.

Last week, a Revenue Department computer security administrator who left the agency in 2011 told the committee that his boss, a former chief information officer, did not make security a priority. Scott Shealy also said his security duties were split among overtaxed workers after he left.

Cooper told the group Thursday that “security is a big deal” at the Revenue Department: “It was not like the job was abandoned, and no one was doing the work.”

Hackers stole personal financial information, including Social Security and bank account numbers, from 3.8 million taxpayers with 1.9 million dependents in September. Thieves also took data for 700,000 businesses.

The Herald is pleased to provide this opportunity to share information, experiences and observations about what's in the news. Some of the comments may be reprinted elsewhere in the site or in the newspaper. We encourage lively, open debate on the issues of the day, and ask that you refrain from profanity, hate speech, personal comments and remarks that are off point. Thank you for taking the time to offer your thoughts.

Commenting FAQs | Terms of Service