COLUMBIA Checking state computer logs could have spotted hackers before they stole financial data from the S.C. Department of Revenue belonging to 6.4 million consumers and businesses, two former agency employees said Thursday.
The logs should have shown unusual activity as hackers searched department servers and stole data over three weeks in August and September, said the agencys former chief information officer, Mike Garon, and former computer security administrator, Scott Shealy.
Garon said he did not know why his staff, which included contract workers, failed to find signs of the hackers. The state did not learn about the hacking until told about it by the Secret Service in October.
Im amazed, in the loss that we had, that we didnt detect anything in our logs, Garon told a state House hearing into the breach. When I heard they had been in there for a number of weeks and that amount of data went out of our systems and (we) werent aware of it, I just dont understand. People are supposed to look at those logs. Someone was not doing their job.
The Revenue Department disagreed with its former employees assessments, citing an investigation by a state-hired consultant, Mandiant, that said the hackers appeared to not be suspicious because they used stolen usernames and passwords.
Shealy said logs showing such large transfers of data should have triggered questions even if the activity appeared to come from an agency employee.
But the Revenue Department said agency computer logs were not being reviewed at the time of the breach, which was Garons responsibility. The department did not have a formal policy about monitoring logs during the hacking, the agency said, adding those logs now are reviewed daily.
Garon said he spent about five years crafting a security policy for the Revenue Department that was never approved by agency leaders, so his staff operated under unwritten rules.
Garon said he was not responsible alone for the administrative breakdowns that led to the nations largest breach at a state agency, blaming decisions by Revenue Department leaders and his staffs failure to follow rules.
Garon said he took partial responsibility if the policies he put in place were not sufficient to prevent the hacking. Am I accountable for some element of this? Yes.
Garon said he was fired on Sept. 21 for reasons unrelated to the breach. Despite good performance reviews, Garon said he was dismissed because of two incidents in a week, in which he became upset at one of his managers in a meeting and was accused of setting department policy without getting permission from his bosses.
The Associated Press contributed to this article
The Charlotte Observer welcomes your comments on news of the day. The more voices engaged in conversation, the better for us all, but do keep it civil. Please refrain from profanity, obscenity, spam, name-calling or attacking others for their views.
Have a news tip? You can send it to a local news editor; email email@example.com to send us your tip - or - consider joining the Public Insight Network and become a source for The Charlotte Observer.Read moreRead less