COLUMBIA — South Carolina’s tax collection agency is working to restore its credibility following last fall’s massive hacking of taxpayers’ personal data, its director said Tuesday.
“Our new mantra at the (Revenue) Department — and you’re going to find this hanging on every door that’s available, and you can find this on every screen saver — is that ‘security is non-negotiable,” ’ said Director Bill Blume.
The encryption of taxpayers’ stored data and dual authentication for remote log-ins is complete, he said. Those are the two things that computer forensic firm Mandiant determined could have prevented the theft of millions of taxpayers’ Social Security and bank account numbers last September.
Other recommendations for preventing a future cyberattack are under way. Some work will be completed by August. All should be wrapped up by next summer, Blume said.
His progress report came during Gov. Nikki Haley’s Cabinet meeting. He gave no details on the incomplete work. A revenue spokeswoman said later Tuesday that security concerns prevent the agency from discussing the projects.
He said 24-hour monitoring by the state’s computer technology division resulted in two alerts last month, which were handled without the loss of data.
But Blume, who took the agency’s helm in January, said the greatest threat to security is employees’ judgment and actions. The hacking stemmed from an employee who clicked on a phishing email.
Steps taken to address that include employee training. Employees are also barred from using their computers during lunch or after hours for anything not business-related.
“Those two things have stopped a lot of the issues,” Blume said.
Haley told her other Cabinet directors to implement the same training and requirements for their employees.
“This is the blueprint our administration needs to use in every agency,” she said.
The cyber-theft of unencrypted data from revenue’s servers represented the nation’s largest hacking of a state agency, affecting 6.4 million residents and businesses. The cleanup since state officials learned of the breach Oct. 10 from the U.S. Secret Service has cost $25 million so far, with the largest single contract of $12 million going to Experian to cover a year of state-paid credit monitoring for residents who signed up by last month’s deadline.
A bill approved by the Senate would extend credit monitoring for up to 10 years. The measure includes a provision sponsored by Sen. Vincent Sheheen, Haley’s expected Democratic rival in 2014, promising to reimburse identity theft victims for money lost, provided they prove their theft resulted from the state debacle. In practical terms, the clause could prove meaningless. Multiple experts have said the selling and trading of stolen information makes it virtually impossible to trace an identity theft case to any particular security breach.
Other costs of the cleanup included $840,000 paid to Mandiant to, among other things, plug the security hole, determine what happened and make recommendations.
Encryption was recently completed under a $4 million contract. The extra log-in step for laptops was put in place in January, at a cost of just $12,000, which covered the licensing and purchase of about 300 tokens that provide ever-changing passwords, according to the revenue agency.
“We’ve got a credibility gap that I think we’re making good progress toward improving, but unless we can demonstrate that to everyone, we’ll still be behind the ball,” Blume said Tuesday.