Gov. Nikki Haley held a press conference Monday morning with State Law Enforcement Division Chief Mark Keel and Department of Revenue Director James Etter to provide updates regarding the state’s response to a massive hack into the Department of Revenue. In attempting to clarify the crisis, they offered some mixed messages.
Haley implied the hack has been contained. “All of the information that was compromised, as I told you Friday, is plugged, is secure and is safe, and so there are no more holes or anything that could be penetrated,” she said.
But Haley and Keel admitted they didn’t know what information had actually been taken. And asked about broader government vulnerablility minutes later, SLED Chief Mark Keel said that in this day and age, “none of us can be absolutely positive … that we’re secure.”
“I don’t think any governmental organization or corporate organization is immune from it. I think it is unfortunately it is the environment that we live in today. And so I don’t think we can say any absolutes.”
Haley later echoed that idea.
“So I think what we’re looking at, it is none of us is completely protected from hackers,” she said. “I think it’s just the new world in which we live in.”
Haley seemed to say the state couldn’t have done anything to prevent the attack.
“This wasn’t an issue where anyone in the agency could’ve avoided it. This wasn’t an issue where anyone in state government could’ve done something to avoid it,” she said, adding later, “This is a situation that a sophisticated intelligent criminal got into a database that is unbelievably creative on how they did it, and now we’re having to deal with that.”
But the state inspector general performed a security audit of all state agencies after a breach at the Department of Health and Human Services in the spring.
And Charleston cybercrime expert John LaCour said last week that “either IT staff didn’t follow … security procedures, or there were software vulnerabilities in an application connected to the Internet, or a combination of the two. My guess, and it’s just a guess, is it may have been a procedural issue based on their saying they’re going to invest in security training.”
Haley was asked why the millions of potentially compromised Social Security numbers were not encrypted. She responded that is the “industry standard.”
“A lot of banks don’t encrypt,” she said. “A lot of those agencies that you think might encrypt Social Security numbers actually don’t. Because it’s very complicated, it’s cumbersome and there’s a lot of numbers involved with it. So it’s not just that this was a Department of Revenue situation. This is an industry situation.”
On Saturday, Etter implied it wasn’t quite so complicated.
“It’s just a matter of someone paying attention to that.”
Others have noted that perhaps the government should be held to a higher standard because people have a choice where to bank but not where they pay taxes.
There are also several unanswered questions about the state’s contract with Experian.
On Saturday, Etter said the state signed a contract with Experian on Friday, but he could not produce the document. On Monday, Haley explained that, despite signing a contract with Experian, one key term has not been agreed upon: how much the state will pay for each taxpayer’s coverage.
“The reason that we have kind of had somewhat of a delay on the cost is that we are in negotiations with Experian on how much this is gonna cost,” Haley said. “We are getting a wholesale rate, but that rate is being negotiated. The cost is dependent on the number of people who sign up naturally.”
She said it could average “anywhere from $8 up,” which would be about half the rate advertised on Experian’s website, and she implied further publicity would make it cost more.
“The more y’all report on it, the more you’re kind of compromising our ability to negotiate that rate, and we’re trying to negotiate that rate or cap that rate if possible,” she said.
But with a signed contract and 154,000 people signed up by Monday morning, Experian seems to have plenty of leverage.