Outgoing Director of SCDOR Jim Etter testifies before the panel. (Nov. 28, 2012/FOX Carolina)
SC Sen. Kevin Bryant begins the hearing in Columbia. (Nov. 28, 2012/FOX Carolina)
COLUMBIA, SC (AP/FOX Carolina) -
State senators are investigating a massive tax breach at South Carolina's tax collection agency that exposed the unencrypted data of 3.8 million individual filers and 700,000 businesses.
A Senate oversight panel created earlier this month held its first meeting Wednesday morning.
During the meeting, officials testified that on Aug. 13, a computer hacker sent multiple malicious emails, otherwise known as phishing emails, to employees at the South Carolina Department of Revenue. These emails purported to come from the tax agency and asked users to click on a link to confirm a pending wire transfer.
Marshall Heilman with Mandiant, the computer security firm hired by the Revenue Department on Oct. 12 to determine what information was taken and how, said an employee clicked on that link, opening the door for the hacker to operate undetected for weeks.
"In this particular case if the DOR had multi-factor authentication, the hacker would not have been able to log on using those credentials," Heilman testified.
He said multi-factor authentication would have required the hacker to use more than one method of identification to log on to the system. Heilman also said their services will cost the state $700,000.
Heilman said they know whose user account was connected to the breach and that the international hacker used phishing emails to breach the system.
Along with Heilman, other state officials testified before the panel Wednesday morning including outgoing Director of the South Carolina Department of Revenue Jim Etter, who turned in his letter of resignation in the wake of the breach and will remain on until Dec. 31.
Mandiant said SCDOR did not encrypt any taxpayers' social security numbers and some financial information was left vulnerable. Etter said that the state considered encryption in 2006, but it would have cost too much.
"It would be very expensive and cost ineffective," Etter said. "It would have cost about $5 million."
Etter also had to answer questions as to why the tax agency was without a computer security chief for almost a year, until this August. He said there was not enough money to hire a qualified person, delaying the search and hiring of someone.
"We moved as fast as we could," Etter said. "We are not competitive with the private sector and trying to find someone to move into this position is very difficult."
Panel co-chairman Kevin Bryant of Anderson has said the subcommittee's job is to find out who's responsible for the agency's lax computer security. Bryant said he was upset to hear that simple and relatively inexpensive measures could have prevented the attack.
"These professional hackers are very good," Bryant said. "but like I mentioned, the lion doesn't go to the head of the pack to eat lunch. So evidently we were the easiest to get into."
So far, the attack has cost the state $12,700,000, which includes monitoring services from Experian and fees paid to Mandiant to investigate the breach, making the $5 million cost in 2006 to encrypt all the date look like a good deal.
The state has set up a year of daily
monitoring of the three credit bureaus and a lifetime of over-the-phone
help on resolving identity theft after it happens through Experian.
People are asked to visit protectmyid.com/scdor and enter code SCDOR123 or call 1-866-578-5422 to determine if their Social Security number was accessed.
Haley said in a previous press conference
that Dun and Bradstreet Credibility Corp. will offer free
credit-monitoring service to any businesses affected by the hacking
case. She said the businesses can sign up for the service at
dandb.com/sc or by calling 800-279-9881.
Copyright 2012 FOX Carolina (Meredith Corporation). All rights reserved. The Associated Press contributed to this report.
Wednesday, April 23 2014 9:35 AM EDT2014-04-23 13:35:48 GMT
By STEVE KARNOWSKIAssociated Press MINNEAPOLIS (AP) - The FBI asked for the public's help Tuesday to identify at least 90 potential victims of a suspected child predator who worked at 10 American andMore >
The FBI is asking for the public's help to identify at least 90 potential victims of a suspected child predator who maintained a home in South Carolina.More >
Wednesday, April 23 2014 9:44 PM EDT2014-04-24 01:44:27 GMT
Camden Police arrested a woman after a group of girls found a loaded .45-caliber pistol inside the bathroom of a fast foot restaurant. Police arrested 45-year-old Robin Lei Albert and charged her withMore >
Camden Police arrested a woman after a group of girls found a loaded .45-caliber pistol inside the bathroom of a fast food restaurant.More >
Thursday, April 24 2014 7:25 AM EDT2014-04-24 11:25:54 GMT
The pictures strewn about Ava Boyce's house are a constant but pleasant reminder of the "angel" she said she had for 18 years."He never got in trouble, he never lied," said Boyce, talking about her lateMore >
The pictures strewn about Ava Boyce's house are a constant but pleasant reminder of the "angel" she said she had for 18 years.More >