By Tim Smith, Greenville News
Columbia, SC -- Four months after a massive data breach at the state Department of Revenue exposed millions of taxpayers to identity theft, state government's response to the hacking is incomplete and uncertain.
Full encryption of the department's data files is months away from being finished, officials are waiting on a consultant to be hired to begin an overall security assessment and lawmakers are waiting on the consultant's report before deciding how much money to spend to further protect taxpayer data in all agencies.
And nervous taxpayers have no assurance that the credit monitoring service offered to them free last year in response to the breach will continue after a year, and if so, for how long.
Meanwhile, the chairmen of two legislative committees that have spent months investigating the Department of Revenue breach say they don't think state agencies made data security their top priority, especially before the hacking.
"We did not focus on the risk that was there," Rep. Bruce Bannister of Greenville, House majority leader and chairman of the committee, told GreenvilleOnline.com about the Department of Revenue.
"I think the real takeaway from the Department of Revenue breach is we can't continue to operate all the other agencies the same way."
Sen. Kevin Bryant, chairman of a Senate subcommittee that investigated the breach, said the lesson he has learned from the hearings has been that state agencies will have to be forced to protect their data.
"Even when the DOR hacking incident made national news, other agencies are going to have to be forced to protect the data with some heavy oversight," he said. "One would think they would be scrambling and rushing to get their data protected but they're not."
The issue is one that Democrats predict will stay with Gov. Nikki Haley, who disclosed the breach on Oct. 26 and has had to reverse her initial opinion that it couldn't have been avoided.
"I think the data breach is going to ultimately stick with the governor because ultimately she is responsible for the Department of Revenue," said Sen. Vincent Sheheen, a Camden Democrat who lost to Haley in the 2010 governor's race and could run against her in 2014.
"It's also, unfortunately, going to stick with the people of South Carolina and that's where the focus should be. We're going to be experiencing this data breach for the lives of our children and we need to be doing more to make sure it doesn't happen again and to correct it."
State Democratic Party Chairman Dick Harpootlian of the governor, and the breach, "She is defined by her failures and this is a failure that affected millions of South Carolinians."
The governor's spokesman, however, has a different view.
"From the beginning, Gov. Haley harnessed the resources of law enforcement, the administration, IT experts, credit monitoring services and state business leaders - and worked with the General Assembly - to deliver South Carolinians the best protection available at the least cost - and has fought every day since she learned of the attack to strengthen security and make sure we never find ourselves in this position again," said Haley spokesman Rob Godfrey.
He added, "This isn't a political issue for the governor - it's an issue of protecting South Carolinians. That long-time antagonists want to politicize it is as predictable as it is rankly opportunistic, but it's just not where the governor's focus is."
Lewis Gossett, president of the South Carolina Manufacturers Alliance, said he has been pleased at the response from Haley's office to the breach and its outreach to the business community.
"They haven't exactly inherited a smooth operation," he said. "They are fixing things. And I think that is a big task."
The September 2012 breach occurred, experts have told lawmakers, after a Department of Revenue employee opened a phishing email the month before, giving the hacker access to the department's data system.
Over a period of weeks, the hacker patiently and methodically scoured the department's system by remote access, using the stolen employee's credentials and then finding more once inside the system, undetected by the agency.
Then, over a two-day period in mid-September, the hacker zipped up huge data files and sent them to the Internet. Mandiant, a cyber security firm that investigated the breach for the Department of Revenue, said that 74.7 gigabytes of data was stolen.
That data included 3.8 million Social Security numbers, 3.3 million bank account numbers and information for nearly 700,000 businesses.
State officials, however, didn't learn of the breach until Oct. 10, when the U.S. Secret Service notified the state that it believed the Revenue Department's system had been hacked.
For the next 15 days, state and federal investigators quietly pursued the case. On Oct. 26, Haley, after consulting with investigators, publicly disclosed the breach and moved to protect taxpayers by announcing they would be able to sign up for a one-year free credit monitoring service with Experian.
Since then, about 1 million people have signed up for the protection, which is costing the state $12 million.
Haley initially told the public that the breach was sophisticated and couldn't have been prevented.
But legislative hearings eventually found otherwise.
The Department of Revenue didn't encrypt all of its data, despite recommendations to do so by one of its former security officers, and didn't use a multi-password system to access its data, two protections that experts told lawmakers could have greatly reduced chances of the breach.
Former Department of Revenue Director Jim Etter told senators that the password system would have cost the agency about $25,000.
It also didn't encrypt its laptops or desktops and didn't use a free state network monitoring service over its entire network.
Scott Shealy, a former Revenue Department security officer, said that security at the agency wasn't a top priority.
In late November, Haley said security at the agency, part of her cabinet, wasn't what it should have been. She announced then that Etter would resign by the end of the year.
"We should have done more than we did," she said then. "We should have done above and beyond what we did."
Haley said the state didn't encrypt its data in storage other than credit cards because the IRS didn't recommend encrypting all data, including Social Security numbers.
She said then that the biggest lesson for her from the breach is that the state has to go beyond what others recommend and come up with its own protection plans.
Haley ordered her cabinet agencies to use the state's monitoring service, which was being upgraded to provide around-the-clock protection and asked the state's inspector general, Patrick Maley, to look at state government cyber security.
Security found inadequate
After interviewing 18 chief information officers, the inspector general concluded that cyber security in state agencies was inadequate.
He recommended the state hire a consultant to develop a statewide security program and that the state create the post of chief information security officer.
It is now four months after the breach was revealed, and no official knows the cyber security vulnerabilities of every agency.
That's because South Carolina's government is largely decentralized and while the state's Division of Information Technology can recommend security policies and procedures, agencies don't have to follow them.
The Budget and Control Board in December decided to begin a search for a consultant to conduct a security assessment and issue recommendations, including budget advice. That consultant is expected to be hired soon.
Last month, officials said the Department of Revenue completed installing the new multi-password system, which cost about $12,000, and began the process of encrypting all sensitive data, a process that could take 90 days.
The breach also sparked a lawsuit, filed by former Sen. John Hawkins of Spartanburg, alleging that the state failed to protect taxpayers.
Circuit Judge G. Thomas Cooper has dismissed Haley and Etter, as individuals, from the suit. He is still considering a motion to dismiss the case against Haley's office, the Department of Revenue, a private security company and the state information technology office.
Meanwhile, staffers of Bannister's committee are studying Department of Revenue computer logs to determine if there were indicators of the breach that were missed by employees at the agency who were supposed to be monitoring the logs.
No arrests have been announced in the case.
"The investigation is ongoing," said Thom Berry, spokesman for the State Law Enforcement Division.