Details remain sketchy more than three weeks after South Carolina officials revealed hackers swiped state tax information belonging to as many as 4.45 million consumers and businesses.
With S.C. Gov. Nikki Haley expected to release an investigative report this week, here is what is known – and not – about the massive hacking attack and the latest on what is being done to prevent another cyber attack:
Q: What do we know about what happened?
Hackers duped an employee into opening a file with a program that allowed them to get log-in credentials to the department computers. The hackers probed the computers, starting in late August, before swiping the information in mid-September. The Secret Service told the state about the theft Oct. 10.
Q: Do we know what the thieves took?
The state has not released information on what was stolen or from how many people. Haley said to be safe anyone who filed S.C. taxes since 1998 should assume anything on their tax return is in the hands of hackers. That encompasses 3.8 million consumers and 657,000 businesses. The hackers also snagged nearly 400,000 credit cards numbers.
Q: What could the thieves do with the tax information?
They could get credit cards and loans, receive medical care and empty bank accounts. Hackers could net $360 million if they empty bank accounts belonging to only 1 percent of affected consumers and businesses, a former FBI agent said last week.
Q: What kind of computer protection did the S.C. Revenue Department have?
The agency used some of common security measures – two firewalls, email and website filters and periodic virus scans. The department also hired Trustwave to check computer system security periodically to ensure the agency was in compliance with regulations on handling credit cards. Both measures failed to prevent or detect the theft.
Q: Could the Revenue Department have taken other steps?
It seems so.
The department just partially used the S.C. Division of State Information Technology’s free network-monitoring service. While that would not have stopped the breach, the state might have learned about the large amount of uploaded data sooner. The revenue agency also did not encrypt tax information sitting in servers. Other state agencies encrypt that information.
Q: Has anyone lost their job for the breach?
Initially, Haley said no one was to blame. Now, says she will wait until she sees investigative reports.
Q: What is being done?
Now, a lot.
The Revenue Department is encrypting data and using a special program nicknamed “The Hand” that will shut down computers infected by viruses or malware or uploading an unusual amount of data. The department also is reviewing whether to reduce the number of employees who have access to its records from its current 250. Meanwhile, all 16 state agencies that report directly to Haley will start using The Hand program and receive round-the-clock monitoring from the Division of State Information Technology.
Q: Doesn’t anyone coordinate computer security among state agencies?
No, but look for that to change.
State agencies are allowed to handle their own computer systems. The Division of State Information Technology must market its services just like private-sector firms to state agencies. Last week, Haley ordered her 16 cabinet agencies to follow the state Information Technology division’s security procedures. The S.C. Inspector General is working with chief information officers at all state agencies on a plan to improve and coordinate computer security.
Q: How much is the breach costing the state?
Nearly $14 million and counting.
South Carolina will pay Experian $12 million to provide a free year of credit monitoring to taxpayers.
The state also is shelling out an estimated $741,000 to inform up to 1.5 million out-of-state residents who filed S.C. taxes since 1998; an estimated $500,000 for computer security firm Mandiant; $500,000 for five state agencies to program their computer systems to sync with the state Information Technology center; $160,000 for public relations firm Chernoff Newman to coordinate a news conference and place ads to consumers; and an estimated $100,000 for outside legal help from the Nelson Mullins law firm in Columbia.
The Charlotte Observer welcomes your comments on news of the day. The more voices engaged in conversation, the better for us all, but do keep it civil. Please refrain from profanity, obscenity, spam, name-calling or attacking others for their views.
Have a news tip? You can send it to a local news editor; email email@example.com to send us your tip - or - consider joining the Public Insight Network and become a source for The Charlotte Observer.Read moreRead less