Who let the cyber attack happen?
COLUMBIA — The frustration in Judith Goldsmith's voice builds the more she talks about the South Carolina computer hacking crisis that's affected 3.6 million in the Palmetto State.
By the numbers
The hack attack on the Department of Revenue's computers is a story about numbers, and it's happened to public and private entities in the U.S. numerous times.
In South Carolina's case, millions of Social Security numbers were stolen, and hundreds of thousands of credit and debit card numbers, and days passed before state officials told anyone.
160 — Number of government and military data breaches since the start of 2011, not including South Carolina's, according to the Privacy Rights Clearinghouse
48 — Number attributed to hackers or malicious software
3.6 million — Estimated Social Security numbers obtained from S.C. computers.
6.5 million — Number of Social Security numbers the Texas Attorney General's Office accidentally sent to lawyers in a voter ID case in April
$15.95 — Amount Experian charges consumers for ProtectMyID monthly.
$8 and up — Amount per person Experian will charge S.C. yearly
$29 million — Cost to the state if everyone signs up
“I was wondering if we'll ever really know who hacked or what the repercussions are going to mean,” the 72-year-old West Ashley resident said Monday.
“It's such a horrific situation for all the people in this state. You can't call a lawyer because everybody's in the same position. You can't call your accountant because your accountant is in the same situation.”
Goldsmith and millions of other South Carolinians' concerns aren't likely to be resolved in the immediate future. State officials still don't know exactly what or whose information was compromised in the massive cyber attack on an S.C. Department of Revenue database.
“We don't know exactly what was extracted from that database,” State Law Enforcement Division Chief Mark Keel said Monday.
For additional stories, go to postandcourier.com/hacked.
Officials also don't know how much it will cost to provide credit monitoring services to those affected.
While the state had to sign an initial agreement with Experian to begin offering help to residents Friday, the rate the state will have to pay the company is still under negotiation, according to Gov. Nikki Haley's office.
Haley said the wholesale rate is running at $8 or more per person per year. At that rate, credit monitoring could cost the state about $29 million for one year for 3.6 million residents. It's unclear where that money will come from, and the chairmen of the Senate Finance and House Ways and Means committees did not respond to requests for comment Monday.
However, the Senate Finance Committee will hold a hearing this afternoon at which Department of Revenue Director James Etter is set to testify.
Haley, who will hold another Statehouse press conference this morning, said the breach is a sign of the times.
“I think what we're looking at is the fact that none of us is completely protected from hackers,” she said. “It's just the new world in which we live in. But our job is to respond, respond immediately and do everything we can to take care of the people of the state.”
That response will include a review by a task force organized by Inspector General Patrick Maley, he said. Maley said the group will gauge what each agency across state government can do to look at internal information security procedures and make possible immediate changes.
A more in-depth review will follow, Maley said.
After an internal breach at the S.C. Department of Health and Human Services in April, the Inspector General's Office began a review of information security procedures at Haley's Cabinet agencies.
Maley said agencies provided their own information on security procedures used, and then the Inspector General's Office made an assessment. Nine of 16 Cabinet agencies have completed those reviews. The Department of Revenue was among them and was reviewed over the summer, Maley said.
Haley spokesman Rob Godfrey said the state is in the process of going “far beyond industry standards” and encrypting all Department of Revenue files. That process should be completed in the next 60 to 90 days, he said.
Haley said no state employees have been fired in the wake of the security breach and that the focus of ire should be on the hacker.
“(The breach) wasn't an issue where anyone in state government could have done something to avoid it,” she said.
Frank Abagnale is a former internationally known con man who now operates a security firm and has been a consultant to the FBI for 36 years. He said he doubts the cyber-hacking episode was carried out by a computer genius of some sort. He said he believes the state could have prevented the attack.
“What typically happens is that (the breach occurs) because of some employee somewhere doing something they weren't supposed to do,” said Abagnale, the subject of Steven Spielberg's 2002 film “Catch Me if You Can.”
Perhaps someone opens an email attachment they should have avoided or visits a trap-laden website. Unwittingly, they open the door to a hacker bent on violating their system and harvesting valuable information, Abagnale said.
Abagnale, who lives in the Charleston area, is among those potentially affected by the breach of the state's tax databases. He said he's concerned that the state's not saying whether the hackers gained access to entire files with people's bank records, work information and more.
He also said the one year of monitoring protection offered by the state is likely not enough. Thieves often warehouse such data and use it two to three years down the line when they are less likely to get caught and their victims' net worth has probably gone up, he said.
“It's very scary, and it goes on more often than you think,” Abagnale said.
Legislative Democrats on Monday were looking for answers from Haley and her Department of Revenue. Several sent a letter to the agency seeking more information.
Among them was Sen. Vincent Sheheen of Camden. He said in an interview that the Cabinet form of government was designed to provide accountability.
“I certainly think it is unacceptable to rule out holding people accountable,” said Sheheen, who ran against Haley in 2010. “I don't know who ultimately is responsible, but it needs to be looked into.”