S.C. Department of Revenue didn’t use state cyber security system

  • Posted: Friday, November 2, 2012 12:39 a.m., Updated: Friday, November 2, 2012 8:56 a.m.

COLUMBIA — Gov. Nikki Haley has repeatedly said nothing could have been done to prevent a hacker from stealing Social Security numbers and credit card information from the S.C. Department of Revenue database.

Previous coverage

For more stories about the state Department of revenue breach, go to postandcourier.com/hacked.

But for the systems that a hacker breached, the Revenue Department had not been using a layer of cyber security offered by the state, according to information provided Thursday to The Post and Courier by the S.C. Budget and Control Board.

Resources

ENROLL IN FREE CREDIT MONITORING AND IDENTITY PROTECTION: The state is paying for taxpayers to receive identity-protection services from Experian for one year. South Carolinians can enroll either online or by phone. To register by phone, call 1-866-578-5422. The hotline is open from 11 a.m. to 8 p.m. on weekends and 9 a.m. to 9 p.m. on weekdays. To register online, go to protectmyid.com/scdor and use the code “SCDOR123.” At some point, that generic code may not work, and residents will have to call the hotline number.

PLACE A SECURITY FREEZE ON CREDIT RECORDS, OR GET ADVICE: Call the S.C. Department of Consumer Affairs at 1-800-922-1594 weekdays during business hours to get advice or to ask that your credit records be frozen at no charge. Or go to http://bit.ly/TL6iD6 for more information.

REGULARLY CHECK YOUR CREDIT REPORT: Get free credit reports from the three largest credit-rating organizations by going to annualcreditreport.com.

PLACE A FRAUD ALERT ON YOUR CREDIT FILE: Residents can request “fraud alerts” to let potential creditors know they may be a victim of identity theft. Call either Equifax at 1-800-685-1111, Experian at 1-888-397-3742 or TransUnion at 1-800-680-7289.

FOR BUSINESSES: Starting at 8 a.m. Friday, Dun & Bradstreet Credibility Corp. will offer its CreditAlert credit-monitoring product for free to South Carolina businesses that have filed a tax return since 1998. Visit DandB.com/SC or call customer service toll free at 800-279-9881.

Democratic state Sen. Vincent Sheheen of Camden said having the state monitoring system in place on the breached systems might not have prevented the attack, but the additional protection could have helped.

“The answer is that there’s no 100 percent guarantee, but the purpose of the (monitoring) system is to detect breaches, and they have been very successful in detecting breaches in other agencies,” he said.

Sheheen, who lost to Haley in the 2010 governor’s race, said the fact that the Revenue Department began using the monitoring after the breach, and the fact that many agencies use the monitoring, shows its relevance. He said the department should have disclosed after announcing the breach that the state monitoring was not in place.

“It means I think we have to call into question what the Department of Revenue isn’t telling us,” he said. “I think we really have to look for some objective investigation into what actually occurred.”

Haley spokesman Rob Godfrey said in response, “Politics is politics and we’re certainly not interested in it right now.”

Many state agencies, school districts and local governments use the free network monitoring services from the Division of State Information Technology.

In the Lowcountry, Charleston and Berkeley counties and the school districts use the monitoring, along with the city of North Charleston and town of Mount Pleasant.

The breach that has compromised 3.6 million Social Security numbers and information for as many as 657,000 companies began Aug. 27.

The attack wasn’t discovered by the state until Oct. 10, according to state officials.

The hacker entered the Revenue Department system twice before extracting the sensitive data, officials have said.

According to the Budget and Control Board, the Revenue Department was using the state monitoring for certain work stations at the department’s Gervais Street location. But the Division of State Information Technology was not asked to monitor the systems where the breached data was housed, according to the Budget and Control Board.

Samantha Cheek, a spokeswoman for the Revenue Department, said the agency cannot comment on where the breached systems are located.

She said that at the time of the breach, the agency already was contracting with a national company, Trustwave, to conduct periodic reviews. Cheek said the Internal Revenue Service also was conducting audits of all Revenue Department computer systems and servers.

“As an agency we did not feel it was necessary to implement (the state’s) monitoring,” she said.

Cheek said the Division of State Information Technology began monitoring all Revenue Department servers after the agency was notified of the breach.

As an agency that processes credit card information, the Revenue Department had to use a national company, such as Trustwave, that was approved by credit card companies, Haley’s office said.

Haley’s office said some of the Revenue Department’s work stations had the state monitoring in place at the time of the breach because of the presence of computer viruses unrelated to the breach.

Comments { }

Postandcourier.com is pleased to offer readers the enhanced ability to comment on stories. We expect our readers to engage in lively, yet civil discourse. Postandcourier.com does not edit user submitted statements and we cannot promise that readers will not occasionally find offensive or inaccurate comments posted in the comments area. Responsibility for the statements posted lies with the person submitting the comment, not postandcourier.com. If you find a comment that is objectionable, please click "report abuse" and we will review it for possible removal. Please be reminded, however, that in accordance with our Terms of Use and federal law, we are under no obligation to remove any third party comments posted on our website. Read our full Terms and Conditions.