GOVERNOR’S CABINET ASKED TO PROVIDE INFORMATION ON UNPRECEDENTED SECURITY LAPSE
A quartet of leading South Carolina Democrats – two in the State Senate and two in the S.C. House of Representatives – are demanding answers from Gov. Nikki Haley’s administration in the wake of the worst security breach in state history.
Senators Brad Hutto (D-Orangeburg) and Vincent Sheheen (D-Camden) and Reps. Mia Butler Garrick (D-Columbia) and James Smith (D-Columbia) jointly signed a letter to Haley seeking to “ensure that the nature of this breach is fully understood and corrective measures are taken.”
“As elected representatives of the people of South Carolina, we are very concerned for the safety of their identities,” the lawmakers wrote. “There remain important questions, which have not been answered.”
Beginning on August 27, hackers infiltrated the S.C. Department of Revenue (SCDOR) database and made off with 3.6 million Social Security numbers and nearly 400,000 credit card numbers. Other more detailed information – including individual tax returns – may have also been stolen.
The breach was not detected by Haley’s administration until October 10. Meanwhile the public was not notified that their personal information had been compromised until October 26.
The hackers responsible for the breach are believed to be linked to an Eastern European crime syndicate – which was allegedly the subject of an international law enforcement operation over the last few weeks. Administration officials have referenced an ongoing criminal investigation as the reason for their delay in publicizing the breach – although they have refused to provide any specifics about that investigation.
Haley claimed this week that there was “wasn’t anything” anyone in state government could have done to avoid the breach. Of course the governor almost immediately contradicted herself when she stated that holes in the state’s costly cyber security network had since been filled.
“All the information that was compromised … is plugged, is secure and is, um, safe and … so there are no more holes and anything that can be penetrated,” Haley said.
Democrats aren’t buying it. In fact they’ve posed a detailed list of pointed questions that they want Haley’s
From the Democrats’ letter, here are those questions:
Do we know that data was actually transferred out of the system or was the system simply breached?
What types of data were compromised- the full tax return? Social security numbers? addresses? charitable contributions? W2 information? or other information?
Why were any credit card numbers kept in an unencrypted format?
To what degree was the breach the result of poor procedural, security control versus human error?
Why was this data kept in a way that was accessible to the internet?
What security audits were performed on these systems during the past two years?
Have children’s SSNs also been compromised and what steps should parents take to ensure that their IDs are protected?
What is the state willing to do beyond the year of (free) ID protection to protect the IDs of children, vulnerable adults and others who have been compromised and may not be able to afford ID protection after the year expires?
Please provide us with a copy of SCDOR’s information security standards and policy.
Please describe the time line of when and how SCDOR learned about the breach, steps that were taken, and when any other entities were notified of the breach?
Please explain how much time passed between the time SCDOR was notified of the breach and the time the public was notified?
Please provide an estimate of how much money the state will expend to deal with this breach and its aftermath?
That last question – the one about cost – is particularly troubling given that taxpayers have already shelled out their hard earned money once to keep their data secure.
The Palmetto State has received millions of dollars in cyber security grants from the U.S. Department of Homeland Security (USDHS) in recent years. Not only that, the state reportedly paid “a boatload of money” to Carnegie Mellon’s internationally recognized Computer Emergency Response Team (CERT) to train state employees on new cyber security measures.
Also, Haley’s administration experienced another major security breach less than six months ago when nearly a quarter of a million Medicare records were improperly lifted from the S.C. Department of Health and Human Services (SCDHHS).