The man tapped to restore credibility to the state's Revenue Department in the wake of the hacking of millions of taxpayers' financial records compared the task to stopping a bank robbery.
Here are some of the steps the Department of Revenue and the Haley administration have taken to upgrade cyber-security. Other measures remain secret:
Steps taken by the Revenue Department:
Installed dual authentication for entry to the computer system.
Encrypted taxpayer Social Security numbers and other key data.
Restructured the department so the head of cyber-security reports directly to the department director.
Restricted computer use to Revenue Department business only.
Hired an outside company to periodically try to hack into the system so upgrades can be made if necessary.
Began daily monitoring of computer system.
Installed an intrusion prevention system.
Cyber-security training for employees.
Contracted with Experian to provide one year of active credit monitoring and lifetime fraud resolution to all affected taxpayers, and one year of active credit monitoring and fraud resolution to all affected minors.
Increased cyber-security by Haley administration for other Cabinet departments:
Every Cabinet agency now has 24/7 computer monitoring.
Many Cabinet agencies now require the director of information technology to report directly to the director.
Every Cabinet agency has dedicated additional resources to fortify its computer system.
Each Cabinet agency has strengthened controls on which governmental agencies have access to its computer system and to assure that appropriate security controls are in place.
The Division of State Information Technology has taken the lead role in setting standard policies and procedures for state agencies.
The Budget and Control Board hired the international accounting firm of Deloitte to audit agencies and make recommendations to the state for coordinated changes.
The state is hiring for the first time a State Chief Information Security Officer.
The Budget and Control Board issued a request for proposals to provide, at state expense, long-term solutions for taxpayers affected by the breach, such as the credit monitoring offered this past year through Experian.
Established a Data Breach Assistance Team composed of dedicated Revenue Department and governor's office staff with the assistance of the S.C. Consumer Protection agency to address public information needs and assist individuals with securing identity protection.
Governor Haley announced free services from both Experian Business and Dun & Bradstreet available to S.C. businesses affected by the breach that alerts them to potential fraudulent activity.
S.C. Department of Revenue, S.C. Office of the Governor
“If you rob a bank and you can't get in, you can't get the money,” William Blume said.
And that's what he had to do at Revenue — make it virtually impossible for a hacker to break into the department's computers.
The robber got in last year, but likely couldn't now, he told Gov. Nikki Haley and her Cabinet at a special cyber-security meeting in August.
Unfortunately for 5.7 million current and former South Carolina taxpayers and their dependents, that's little comfort: They remain at risk of fraud for the rest of their lives. The robber already got away with their Social Security numbers and other personal and financial information that can be used to steal their identities to open credit cards and pilfer bank accounts.
Authorities say they don't know of anyone who has lost money as a result of the hacking, but they concede it's likely only a matter of time.
If you moved to South Carolina today and filed a state income tax return, you'd be far safer because of the extensive cyber-security measures that have been taken, But all the millions of hacking victims can do is remain vigilant, watching their financial accounts and taking advantage of state-paid-for credit monitoring.
Blume said the Revenue Department is now about as secure as it can be. But it came at a cost — some $21 million to upgrade computer security and provide one year of free credit monitoring for millions of South Carolinians.
Still, Blume said, it's a constant job of monitoring and upgrading.
To double check, he has hired an outside organization to periodically attempt to hack into Revenue's computers.
“Everybody's going to get hacked. It's not whether you are going to be, but whether you can make it really hard to allow only a best-in-class hacker to get in,” Blume said. “This is never-ending. There's somebody out there right now trying to get in. ... I do sincerely think that we're getting there. ... I guarantee we're better off.”
“The system is safer, but I can't make them whole,” Blume said of the hacking victims.
Watch your back
Lance Spitzner, an internationally recognized expert in cyber-security, said the hacking victims “absolutely” remain at continuing risk. The hacker has their Social Security numbers, he said, and “that's a big one.”
What makes it so risky is the combination of personal information in the stolen income tax returns.
“The more information they get on you, the easier it is to commit fraud,” Spitzner said. Some cyber-experts call stolen tax returns “the gold mine for the bad guy.”
Spitzner, who works with the SANS Institute, a Bethesda, Md.-based information security and education organization, said most people already are at risk of financial fraud. That's because “we're not in custody of our own information,” he said, and we're dependent on others to keep us secure.
Those exposed by the hacking “probably already had their identification compromised” by a hacker who got it from any of innumerable other places accessible by the web, everything from online sales to electronic medical records.
Spitzner has given cyber-security advice to numerous federal offices, including the National Security Agency. He said many of those exposed by the hacker already may have been financially victimized. They just don't know it.
For many others it's just a matter of time until the hacker uses the information or possibly sells it to others in the cyber-criminal underworld.
The information could be used by thieves to pull off all sorts of financial havoc: Savings and investment accounts could be pilfered, phony credit cards opened and loans and credit lines could be obtained.
But a ray of sunshine is out there, Spitzner said. The hacking has made many South Carolinians more watchful of their finances.
In this age of computers, online banking and buying and selling, watchfulness is the best protection, Spitzner said.
“In the long run they may be a little more protected.”
Crooks are lazy
Three kinds of hackers lurk online: The casual ones who try it now and then just for kicks; the true geeks who love the thrill and the intellectual challenge; and cyber-crooks.
Casual hackers are easy to foil. Dedicated hackers may be impossible to stop. Crooks look for easy kills.
“Bad guys are lazy,” Spitzner said. They increasingly aim for soft targets.
That's one reason South Carolina's Department of Revenue got hit. The federal government and most larger businesses have fought back against hackers with ever more effective security. That leaves state and local governments as the next best targets of convenience.
Doug Robinson, executive director of the National Association of State Chief Information Officers, said his organization has warned states for some time that “hackers are targeting states. They have become a new frontier, attractive targets for bad guys.”
Robinson testified this year before a South Carolina Senate committee looking at how the state could improve cyber-security. He told senators that efforts the state is taking to centralize security for all agencies would provide a high-degree accountability and reduce risk. State officials say they plan to phase in most departments during the coming months.
“You can't have individual agencies deciding on their own” how to operate their computer security, Robinson said. Preventing that can be a particular problem in decentralized state governments such as South Carolina's, he said. “This is an area they ignore at their peril.”
“No state wants to be a poster child for this,” but South Carolina's experience has served as a wake-up call for other states, Robinson said.
South Carolina's hacking hit home with the elected and appointed leadership of every state, he said. They clearly see how it can harm public trust and reflect on them.
What political impact the hacking will have will play out in Haley's re-election campaign. Already, her likely challenger, Democratic Sen. Vincent Sheheen, has called it an example of Haley's leadership failure. He characterized Haley's response as “a disaster,” and faulted her administration for having failed to take the most basic security precautions.
Haley has said she hopes residents judge her on how aggressively her administration has handled the hacking aftermath and not the hacking itself.
Haley's re-election spokesman Rob Godfrey characterized Sheheen's criticism as “the difference between a lifelong political ambulance chaser like Vince Sheheen and a leader like Nikki Haley.”
She blamed the hacking on state departments being too focused on consumer service and accessibility and not focused enough on security. And she has ordered all of her cabinet directors to adopt cyber-security measures similar to those Blume put in place at Revenue.
Max Milien, a spokesman for the U.S. Secret Service, said the agency would have no comment on the hacking investigation. He confirmed only that the Secret Service is involved because of its mission “to safeguard the nation's financial infrastructure and payment systems to preserve the integrity of the economy.”
SLED Chief Mark Keel said neither his department nor the Secret Service has been able to confirm any rip-offs as a result of the stolen information.
Keel declined to say how many complaints SLED has checked out, but Blume said he is aware of about 90 cases.
Although none of the cases have been linked to the hacking, Blume conceded that it's almost impossible to know for sure.
Investigators are relatively confident they have narrowed the hacker's location to one country; Keel wouldn't say which one, but other reports have named Russia.
Whether the hacker can be identified and arrested is another question. Cyber-experts say few hackers get caught, especially if they operate from other countries.
Still, Keel offered hope. “It's not a case that we have put on the back burner. It's a case we're working as hard as we can to bring somebody to justice.”
Why pick Blume?
Blume is a retired senior tax partner with the global accounting firm of Ernst & Young who already was helping out Haley's administration. He had taken the job as executive director of the state's Public Employee Benefit Authority, a new agency created to bring control to the state's financially troubled employee retirement and health insurance services.
Blume was prepared to leave the Benefit Authority at year's end, when the Charleston native and his wife had planned to resume retirement in their Mount Pleasant home.
In the days after the hacking was revealed last October, the governor's office needed to act with speed and assurance as it coped with public outrage and national embarrassment.
Ted Pitts, a deputy chief of staff for Haley, called Blume and asked him to come to the governor's office the next day to discuss the hacking.
The next morning, Blume walked into Haley's office at the Statehouse and learned that she wanted him to replace Revenue Director James Etter, who had submitted his resignation in the wake of the hacker's attack on his department.
Haley felt Blume could secure Revenue's data and computers and restore public confidence in the sullied agency.
It's the culture
Blume, clad in a blazer, slacks and button-down shirt, and with a head of snow-white hair parted down the middle, doesn't look the part of a cyber-warrior.
But he knows how to manage money, people and information.
He motioned toward the computer screen on his desk at the Revenue Department's West Ashley office. The words “Security is non-negotiable” serve as his screen saver. Blume shook his head side-to-side and asked, “Why does it take an occurrence to happen before you make the moves to make it right?”
If the Revenue Department had taken a couple of relatively inexpensive and simple steps last year, such as use of a dual-password system that costs just $25,000, the hacker likely would not have gotten in, officials said.
Blume motioned toward the words on his computer screen. “That's on everyone's computer.”
Putting them there was one of the first things he did.
But he knows that words alone will not guarantee security. The culture of the department had to change. For instance, he said, the people who work at Revenue have to know they are not just tax collectors. “You are a trustee of information and you've got to protect that.”
One simple way to do that is to prohibit use of Revenue's computers for anything other than Department business. The computers are monitored daily to make sure that's the case, Blume said.
The hacking occurred because one worker opened a phishing email and clicked on an embedded link that launched malware. The malware is believed to have stolen the worker's username and password to enable the hacker to gain access to millions of taxpayers' personal and financial information.
Blume said the worker who opened that email was a contractor who has been fired, Blume also disciplined 10 to 15 of the department's 800 employees for violating the new computer restrictions. Some of those disciplined employees also were fired, he said.
People have to understand that security is critical; security must to be the bedrock of the department's culture, he said. “I'd rather have buy-in than use the stick.”
South Carolina's Revenue Department may be far better protected now from hackers, but many other state agencies remain less so.
State Sen. Kevin Bryant co-chaired a committee investigating the hacking, and he doesn't believe the state has done enough to improve security.
The Republican from Anderson supported a Senate-approved bill that mandated high standards for all agencies and made free credit monitoring available for the hacked taxpayers for up to 10 years.
The House did not take up the measure. “I'm very concerned our databases are still vulnerable,” Bryant said.
House Speaker Bobby Harrell said he's as outraged today as he was last year when he found out about the hacking.
“It includes me, my wife and two kids. ... As a South Carolina citizen who had his information hacked, I was livid.”
As a legislator he was also embarrassed for the state. The Charleston Republican said that, since then, the state has done much of what it can, including hiring the best in the business to fix the Revenue Department and begin necessary measures for all state agencies.
The questions are how to fix what remains going forward, and how to deal with the millions of taxpayers who have been compromised for the rest of their lives, he said.
Even though less than 1.5 million of the hacked taxpayers signed up this past year for the free credit protection the state provided, the Legislature has authorized $10 million more to extend it for another year, Harrell said.
“I think the state is going to have to do that for a long time.”
Reach Doug Pardue at 937-5558.
Timeline The hacking and the response
Aug. 13, 2012: Hacker sends a phishing email to several Department of Revenue employees. At least one clicks on an embedded link releasing malware that is believed to have stolen the worker's user name and password.
Aug 27: Hacker uses worker's user name and password to log into the worker's computer and begins exploring various Revenue Department systems and databases.
Sept. 1-12: Hacker obtains user account passwords, searches through numerous Revenue Department systems.
Sept. 13-14: Hacker copies data and transfers it through the Internet.
Oct. 10: U.S. Secret Service notifies South Carolina officials of the breach.
Oct. 12: South Carolina contracts with Mandiant, a cyber-security company, to figure out what happened, recommend quick fixes and long-range security upgrades.
Oct. 19-20: The Revenue Department puts in place Mandiant's recommended quick fixes.
Oct. 26: Gov. Haley holds a news conference to let the public know for the first time that millions of individual South Carolina taxpayers and almost 700,000 businesses have had their personal and financial information stolen. Officials urge taxpayers to sign-up with Experian for credit protection services provided free by the state for one year at a cost of $12 million. Officials also urge taxpayers to take other measures to protect their identity, such as closely watching credit card statements.
Nov. 20: Gov. Haley releases a summary of Mandiant's investigation into how the hacking occurred. It reveals the Revenue Department's cyber-security was minimal and that the hacker was able to get in easily because the computer system lacked dual verification. The report also reveals that the Revenue Department failed to encrypt Social Security numbers and other key data. Haley announces resignation of Revenue Director James Etter effective Dec. 31. Bill Blume, executive director of the Public Employee Benefit Authority, is named as his replacement.
Dec.: State begins sending letters to those whose information was hacked, telling them what happened and what they can do to protect their identity and accounts from theft.
Today: Officials say no known theft of identity or money has been linked to the hacking. The hacking is believed to have originated in Russia. Federal and state investigations continue.
AP and file reports
Lance Spitzner is a cyber-security expert.×
When Gov. Nikki Haley announced the data breach at the Revenue Department, she vowed to upgrade computer security not only for that agency, but all departments.×
The South Carolina Department of Revenue in Columbia.×