Outgoing Director of SCDOR Jim Etter testifies before the panel. (Nov. 28, 2012/FOX Carolina)
SC Sen. Kevin Bryant begins the hearing in Columbia. (Nov. 28, 2012/FOX Carolina)
COLUMBIA, SC (AP/FOX Carolina) -
State senators are investigating a massive tax breach at South Carolina's tax collection agency that exposed the unencrypted data of 3.8 million individual filers and 700,000 businesses.
A Senate oversight panel created earlier this month held its first meeting Wednesday morning.
During the meeting, officials testified that on Aug. 13, a computer hacker sent multiple malicious emails, otherwise known as phishing emails, to employees at the South Carolina Department of Revenue. These emails purported to come from the tax agency and asked users to click on a link to confirm a pending wire transfer.
Marshall Heilman with Mandiant, the computer security firm hired by the Revenue Department on Oct. 12 to determine what information was taken and how, said an employee clicked on that link, opening the door for the hacker to operate undetected for weeks.
"In this particular case if the DOR had multi-factor authentication, the hacker would not have been able to log on using those credentials," Heilman testified.
He said multi-factor authentication would have required the hacker to use more than one method of identification to log on to the system. Heilman also said their services will cost the state $700,000.
Heilman said they know whose user account was connected to the breach and that the international hacker used phishing emails to breach the system.
Along with Heilman, other state officials testified before the panel Wednesday morning including outgoing Director of the South Carolina Department of Revenue Jim Etter, who turned in his letter of resignation in the wake of the breach and will remain on until Dec. 31.
Mandiant said SCDOR did not encrypt any taxpayers' social security numbers and some financial information was left vulnerable. Etter said that the state considered encryption in 2006, but it would have cost too much.
"It would be very expensive and cost ineffective," Etter said. "It would have cost about $5 million."
Etter also had to answer questions as to why the tax agency was without a computer security chief for almost a year, until this August. He said there was not enough money to hire a qualified person, delaying the search and hiring of someone.
"We moved as fast as we could," Etter said. "We are not competitive with the private sector and trying to find someone to move into this position is very difficult."
Panel co-chairman Kevin Bryant of Anderson has said the subcommittee's job is to find out who's responsible for the agency's lax computer security. Bryant said he was upset to hear that simple and relatively inexpensive measures could have prevented the attack.
"These professional hackers are very good," Bryant said. "but like I mentioned, the lion doesn't go to the head of the pack to eat lunch. So evidently we were the easiest to get into."
So far, the attack has cost the state $12,700,000, which includes monitoring services from Experian and fees paid to Mandiant to investigate the breach, making the $5 million cost in 2006 to encrypt all the date look like a good deal.
The state has set up a year of daily
monitoring of the three credit bureaus and a lifetime of over-the-phone
help on resolving identity theft after it happens through Experian.
People are asked to visit protectmyid.com/scdor and enter code SCDOR123 or call 1-866-578-5422 to determine if their Social Security number was accessed.
Haley said in a previous press conference
that Dun and Bradstreet Credibility Corp. will offer free
credit-monitoring service to any businesses affected by the hacking
case. She said the businesses can sign up for the service at
dandb.com/sc or by calling 800-279-9881.
Copyright 2012 FOX Carolina (Meredith Corporation). All rights reserved. The Associated Press contributed to this report.
Friday, May 17 2013 11:20 PM EDT2013-05-18 03:20:45 GMT
An Upstate woman's money is gone and her friend got hit too. They don't know when their debit card numbers got swiped, but they think there may be more victims in the area. After a frustrating few days,More >
An Upstate woman and her friend have both lost money from their banking accounts - money they did not spend themselves.More >
Saturday, May 18 2013 9:00 AM EDT2013-05-18 13:00:10 GMT
(RNN) – Animals like Rev have to make you wonder what things would look like if dogs could rule the world for a day. In one of the cutest videos posted online this week, Rev immediately recognizes a tuneMore >
This is the one time the phrase "gone to the dogs" does not have a negative connotation. Savor the moment because this abundance of gushing cuteness comes only so often.More >
Friday, May 17 2013 3:01 PM EDT2013-05-17 19:01:38 GMT
Video of State Representative Ted Vick chronicles the Pee Dee lawmaker's interaction with Bureau of Protective Services officers late Tuesday night as he was arrested for DUI in the State House parkingMore >
Video of Democratic State Representative Ted Vick chronicles the Pee Dee lawmaker's interaction with Bureau of Protective Services officers late Tuesday night as he was arrested for DUI in the State House parking garage.More >
Friday, May 17 2013 1:47 PM EDT2013-05-17 17:47:25 GMT
For thirteen years, BMW has been hosting the charity Pro-Am golf tournament in the Upstate, and for all of those years, no one has ever hit a hole-in-one on the 9th hole at Thornblade to win a brand newMore >
For thirteen years, BMW has been hosting the charity Pro-Am golf tournament in the Upstate, and no one hit a hole-in-one on the 9th hole at Thornblade to win a brand new BMW - until now.More >
A poll by Reader's Digest named the 100 most trusted people in America. The list includes celebrities, politicians, philanthropists and even presidents. Click here to see the top 30.More >
A poll by Reader's Digest named the 100 most trusted people in America. The list includes celebrities, politicians, philanthropists and even presidents, and Readers Digest admits the results were surprising. Click here to see the top 30. More >