COLUMBIA — The state and a cybersecurity company acted negligently in allowing a state database to be hacked and then failing to notify the public for more than two weeks, a former state senator suing the state over the breach alleged Monday.
John Hawkins, a Republican attorney from Spartanburg, last week filed a class-action suit against Gov. Nikki Haley and the S.C. Department of Revenue, the agency whose database was hacked.
On Monday, Hawkins announced he had added cybersecurity firm Trustwave and the Division of State Information Technology as defendants in the suit.
“What we’re looking at here is a systematic failure,” he said.
The Revenue Department was using Trustwave to monitor the systems that were breached in the cyberattack.
Revenue spokeswoman Samantha Cheek said Monday the agency has been contracted with Trustwave since 2005, but she said the agency was still reviewing the agreement and could not provide further details Monday, such as how much the state paid the company.
Unlike many state agencies, school districts and local governments, the Revenue Department chose not to use the free security monitoring offered by the Division of State Information Technology, a unit under the S.C. Budget and Control Board.
That decision came despite the fact that Revenue Department’s database servers are located at the Division of State Information Technology’s data center in Columbia.
The Revenue Department has since signed up for the state monitoring.
As an agency that processes credit card information, the Revenue Department had to use a national company, such as Trustwave, that was approved by credit card companies, Haley’s office said last week.
Hawkins said Monday that his lawsuit will show the reasons given by the Revenue Department for using Trustwave, that the service was compliant with payment card industry standards and applied only to credit card numbers, not Social Security numbers, contained in the breached database.
“The public is forced with the threat of jail to pay taxes and give their personal information to SCDOR, and yet SCDOR took only the flimsiest steps to protect this private data, leaving South Carolina the most vulnerable target for hackers of any state in the Union,” Hawkins said.
In a statement, Haley spokesman Rob Godfrey responded: “Nothing Mr. Hawkins does surprises the governor, nor does it change her statement from last week: there is a trial lawyer with a hand out and a tissue ready at any crisis.”
The cyberattack compromised 3.6 million Social Security numbers for people who had paid state taxes since 1998, thousands of credit and debit card numbers and information from as many as 657,000 state businesses.
The state didn’t announce the breach until Oct. 26 after learning of the attack on Oct. 10.
State Law Enforcement Division Chief Mark Keel and Haley have said the timing of the public disclosure was dictated by law enforcement pursuing the hacker.
But Hawkins will attempt to prove that state officials and Trustwave violated a provision in state law that requires state agencies to disclose a breach of personal identifying information to taxpayers following discovery or notification of the breach.
The law states: “The disclosure must be made in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement.”
Hawkins said the information should have been released to the public sooner.
“Tell me one other crime out there where police don’t inform the victim or potential victim as soon as possible — there aren’t any,” Hawkins said.
A spokesman for Trustwave said the company’s policy is not to comment on pending legal matters.