COLUMBIA — Checking state computer logs could have spotted hackers before they stole financial data from the S.C. Department of Revenue belonging to 6.4 million consumers and businesses, two former agency employees said Thursday.
The logs should have shown unusual activity as hackers searched department servers and stole data over three weeks in August and September, said the agency’s former chief information officer, Mike Garon, and former computer security administrator, Scott Shealy.
Garon said he did not know why his staff, which included contract workers, failed to find signs of the hackers. The state did not learn about the hacking until told about it by the Secret Service in October.
“I’m amazed, in the loss that we had, that we didn’t detect anything in our logs,” Garon told a state House hearing into the breach. “When I heard they had been in there for a number of weeks and that amount of data went out of our systems and (we) weren’t aware of it, I just don’t understand. People are supposed to look at those logs. … Someone was not doing their job.”
The Revenue Department disagreed with its former employees’ assessments, citing an investigation by a state-hired consultant, Mandiant, that said the hackers “appeared to not be suspicious” because they used stolen user names and passwords.
Shealy said logs showing such large transfers of data should have triggered questions – even if the activity appeared to come from an agency employee.
But the Revenue Department said agency computer logs were not being reviewed at the time of the breach, which was Garon’s responsibility. The department did not have a formal policy about monitoring logs during the hacking, the agency said, adding those logs now are reviewed daily.
Garon said he spent about five years crafting a security policy for the Revenue Department that was never approved by agency leaders, so his staff operated under unwritten rules.
Garon said he was not responsible alone for the administrative breakdowns that led to the nation’s largest breach at a state agency, blaming decisions by Revenue Department leaders and his staff’s failure to follow rules.
Garon said he took partial responsibility if the policies he put in place were not sufficient to prevent the hacking. “Am I accountable for some element of this? Yes.”
Garon said he was fired on Sept. 21 for reasons unrelated to the breach. Despite good performance reviews, Garon said he was dismissed because of two incidents in a week, in which he became upset at one of his managers in a meeting and was accused of setting department policy without getting permission from his bosses.
Three weeks earlier, Garon said he met with then-Revenue director Jim Etter and the agency’s executive deputy director, Harry Cooper, to warn them about the security risks of working on multiple projects simultaneously.
The two men did not follow his suggestions, Garon said. “They decided what to do.”
Through an agency spokeswoman, Cooper said that conversation with Garon never occurred.
Etter left the agency at the end of last year by a mutual agreement with Gov. Nikki Haley.
Garon complained to lawmakers that high turnover in his department forced him to reassign security duties among employees and hire contractors to help review computer logs.
Shealy, who previously testified to lawmakers that Garon failed to make a security a priority, said logs were reviewed daily when he worked at the agency, through late 2011. Shealy now works at the S.C. Judicial Department.
Meanwhile Thursday, Etter and Haley personally were dismissed as defendants in a lawsuit filed over the breach.
During a hearing in Columbia, Circuit Judge G. Thomas Cooper said he needed more time to consider requests to dismiss the case against the governor’s office, the Department of Revenue, South Carolina’s Division of Information Technology and a private data-security company hired by the revenue agency, Trustwave.
The suit seeks to be declared a class action and recover damages for all taxpayers affected by the theft of their financial information.
The Associated Press contributed to this report.