Outgoing Director of SCDOR Jim Etter testifies before the panel. (Nov. 28, 2012/FOX Carolina)
SC Sen. Kevin Bryant begins the hearing in Columbia. (Nov. 28, 2012/FOX Carolina)
COLUMBIA, SC (AP/FOX Carolina) -
State senators are investigating a massive tax breach at South Carolina's tax collection agency that exposed the unencrypted data of 3.8 million individual filers and 700,000 businesses.
A Senate oversight panel created earlier this month held its first meeting Wednesday morning.
During the meeting, officials testified that on Aug. 13, a computer hacker sent multiple malicious emails, otherwise known as phishing emails, to employees at the South Carolina Department of Revenue. These emails purported to come from the tax agency and asked users to click on a link to confirm a pending wire transfer.
Marshall Heilman with Mandiant, the computer security firm hired by the Revenue Department on Oct. 12 to determine what information was taken and how, said an employee clicked on that link, opening the door for the hacker to operate undetected for weeks.
"In this particular case if the DOR had multi-factor authentication, the hacker would not have been able to log on using those credentials," Heilman testified.
He said multi-factor authentication would have required the hacker to use more than one method of identification to log on to the system. Heilman also said their services will cost the state $700,000.
Heilman said they know whose user account was connected to the breach and that the international hacker used phishing emails to breach the system.
Along with Heilman, other state officials testified before the panel Wednesday morning including outgoing Director of the South Carolina Department of Revenue Jim Etter, who turned in his letter of resignation in the wake of the breach and will remain on until Dec. 31.
Mandiant said SCDOR did not encrypt any taxpayers' social security numbers and some financial information was left vulnerable. Etter said that the state considered encryption in 2006, but it would have cost too much.
"It would be very expensive and cost ineffective," Etter said. "It would have cost about $5 million."
Etter also had to answer questions as to why the tax agency was without a computer security chief for almost a year, until this August. He said there was not enough money to hire a qualified person, delaying the search and hiring of someone.
"We moved as fast as we could," Etter said. "We are not competitive with the private sector and trying to find someone to move into this position is very difficult."
Panel co-chairman Kevin Bryant of Anderson has said the subcommittee's job is to find out who's responsible for the agency's lax computer security. Bryant said he was upset to hear that simple and relatively inexpensive measures could have prevented the attack.
"These professional hackers are very good," Bryant said. "but like I mentioned, the lion doesn't go to the head of the pack to eat lunch. So evidently we were the easiest to get into."
So far, the attack has cost the state $12,700,000, which includes monitoring services from Experian and fees paid to Mandiant to investigate the breach, making the $5 million cost in 2006 to encrypt all the date look like a good deal.
The state has set up a year of daily
monitoring of the three credit bureaus and a lifetime of over-the-phone
help on resolving identity theft after it happens through Experian.
People are asked to visit protectmyid.com/scdor and enter code SCDOR123 or call 1-866-578-5422 to determine if their Social Security number was accessed.
Haley said in a previous press conference
that Dun and Bradstreet Credibility Corp. will offer free
credit-monitoring service to any businesses affected by the hacking
case. She said the businesses can sign up for the service at
dandb.com/sc or by calling 800-279-9881.
Copyright 2012 FOX Carolina (Meredith Corporation). All rights reserved. The Associated Press contributed to this report.
BRADENTON BEACH, FL (WFLX) - People are outraged after a Florida couple was caught having sex on a public beach Sunday afternoon in front of dozens of people including children. Bradenton Beach policeMore >
People are outraged after a Florida couple was caught having sex on a public beach Sunday afternoon in front of dozens of people including children.More >
Thursday, July 24 2014 2:35 AM EDT2014-07-24 06:35:51 GMT
The U.S. Supreme Court cleared the way for Arizona to carry out its third execution in the past year Wednesday following a closely watched First Amendment fight over the secrecy surrounding lethal injection drugs.More >
A condemned Arizona inmate gasped for more than an hour and a half during his execution Wednesday before he died in an episode sure to add to the scrutiny surrounding the death penalty in the U.S.More >
Thursday, July 24 2014 9:12 AM EDT2014-07-24 13:12:11 GMT
The official Algerian news agency says an Air Algerie flight from Burkina Faso to Algiers has disappeared from the radar.More >
An Air Algerie flight carrying 116 people from Burkina Faso to Algeria's capital disappeared from radar early Thursday over northern Mali after heavy rains were reported, according to the plane's owner and...More >
Tuesday, July 22 2014 7:17 AM EDT2014-07-22 11:17:13 GMT
Myrtle Beach (SC)- Event Organizers for Myrtle Beach Mustang Week are upset by the videos hitting Facebook and YouTube. Founder and President of Extreme Productions Inc. with Mustang Week, Rodney Melton,More >
Event organizers for Myrtle Beach Mustang Week are upset by videos hitting Facebook and YouTube showing reckless driving. More >
A Malaysia Airlines passenger plane carrying 295 people was shot down over eastern Ukraine. Both the government and pro-Russia separatists fighting in the region denied any responsibility.More >
A Malaysia Airlines passenger plane carrying 295 people was shot down over eastern Ukraine on Thursday, and both the government and the pro-Russia separatists fighting in the region denied any responsibility for downing the aircraft.More >