Tim Smith, Greenville News
This article originally appeared at GreenvilleOnline.com:
COLUMBIA - Nearly three months after officials publicly disclosed a massive data breach at the state Revenue Department, the agency has yet to begin encrypting most of its data.
The agency prior to the breach encrypted credit card information but decided not to encrypt its other information years ago, citing cost concerns, former DOR Director James Etter told senators last year.
Encryption of all data was one of the top recommendations by Mandiant, the cyber security firm brought in by the state to investigate the DOR hacking and make recommendations.
Harry Cooper, DOR's deputy director, told a House panel Thursday that the agency bought programs to encrypt data on desktop and laptop computers but officials found it to be "unwieldy" and abandoned the effort.
Cooper appeared to indicate when first questioned by House members about encryption that the agency had begun the process.
But when lawmakers questioned the agency's chief information officer, Dale Brown, he said no laptops, desktops, applications or servers had been encrypted other than for credit card data.
Brown and Cooper said the agency is reviewing vendors for encryption. Once one is chosen it could take up to 90 days to encrypt the stored data, they said.
They also said the agency is about halfway through the process of installing a multi-password system for the agency, what is also known as dual-factor authentication. They said the system should be completely installed by the end of the month.
The system, which Brown said will cost about $12,000, was another recommendation of Mandiant's and one that cyber security officials say could have greatly reduced the agency's risk of being hacked. Cooper said the agency had the ability to install a multi-password system on agency laptops had the agency bought the necessary software and hardware but it did not do so.
That prompted Rep. Andy Patrick of Hilton Head to liken the decision to "locking your front door and leaving your back door open."
Cooper noted that the phishing email arrived at a desktop, not a laptop.
Thursday's revelations followed a report by GreenvilleOnline.com this week that many cabinet agencies are still working on either installing full encryption and a multi-password system or were considering them.
Lawmakers were not pleased at what they see as slow progress in protecting taxpayers' data.
"I thought they were already in the process of dealing with encryption and I thought they were finished with dual authentication," Rep. Bruce Bannister of Greenville, who chairs the House panel investigating the breach, told GreenvilleOnline.com. "I'm surprised to hear they were not. It appears the agencies in general have taken a more relaxed view of data security. I don't think they appreciate the threat they are under now."
Sen. Kevin Bryant of Anderson, who chairs the Senate subcommittee probing the breach, said he was not happy with what DOR said Thursday.
"It's obvious they're not in a hurry," he said. "So we're going to have to put a fire under them."
That fire, he said, would come in a request but could also include legislation mandating agencies with sensitive data install full encryption and multi-password systems.
Industry experts have said both protections are considered basic steps in cyber security for organizations with databases that hold personal or sensitive information.
Brown said the DOR encryption could cost between $4 million and $12 million.
The state has already spent $20 million in the wake of the breach, which exposed 3.8 million Social Security numbers, 3.3 million bank account numbers and information belonging to nearly 700,000 businesses.
Brown also acknowledged Thursday that the agency's response to the phishing email was not adequate.
He said the protocol at the time used software to clean the affected computer but was not always effective. He said the agency now just wipes the memory clean of the machine.
Cooper said he did not know if the agency was told to reset passwords at the time by the state's information technology office, which had detected the phishing email and warned the agency. An official later told lawmakers that DOR was told to reset its passwords but did not do so. But he said he did not know if that would have prevented the breach.
Also Thursday, Bannister said the committee will renew its efforts to get DOR's former chief information officer, Mike Garon, to testify and is exploring whether the panel can subpoena him, if necessary. He said staff thus far has not been able to find him. Garon, who worked at the agency for about 12 years, according to Cooper, left after the agency received a phishing email that Mandiant believes gave the hacker access to the system but before state officials leearned in October the system had been breached.
Cooper said his departure had nothing to do with the hacking.
But in response to questions about why Garon left, Cooper said he resigned.
Lawmakers want to talk to Garon because he was filling in as the agency's security officer before one was hired Aug. 2 and because he was the top official whom security workers reported to.
Scott Shealy, a former DOR security officer, told the House panel last week that cyber security at the agency was not a priority while there and that he recommended full encryption and strengthening the agency's access system but his recommendations were not followed.
He said when he left his security team was disbanded and the duties assigned to others, who he said were already overworked.
Cooper said the agency is reviewing emails between Shealy and Garon and what he has seen is "interesting" but he said the review is not finished and could not characterize them any further.
Cooper told lawmakers that he did not know what recommendations, if any, Shealy made to Garon.
But he defended the agency against claims that it did not take cyber security seriously, saying DOR did not neglect protection of its data.
Cooper said security at the agency was and is "a big deal."
He said the security officer's contention that his security team was disbanded was not correct. One employee left, he said, and the team's duties assigned to other people.
Although the security officer left in September 2011 and his job was not posted until next spring, Cooper said the officer's duties were carried out by another staff member.
"It wasn't like the job was abandoned," he said.
Cooper said the agency has made improvements in cyber security in recent months. Screens has been "beefed up" to catch more attacks, employees are being repeatedly educated about the dangers of opening up phishing emails and the entire system is now being monitored. In addition, he said, the chief of cyber security reports to the agency's director, instead of under the CIO.