Since announcing two weeks ago that the state Department of Revenue had been hacked, Gov. Nikki Haley has said repeatedly that no one in state government could have done anything to prevent the breach.
On Thursday Haley backpedaled, saying she is not prepared to speak in absolutes with the investigation not quite complete. Her statement came one day after an investigator hired by the state said in The Post and Courier that human error and vulnerabilities in the computer system allowed the hacker in.
Meanwhile, House Speaker Bobby Harrell, a Charleston Republican, said he is frustrated with the way Haley and other officials have parsed information about the breach to an anxious public in the wake of the attack.
Haley reported Thursday that “almost 716,000” people have been able to sign up for the state-sponsored Experian credit-monitoring service since it was launched Oct. 26.
She said she hopes “by the first of next week we can give a final report on where we stand.” And in addition to the inspector general’s review of all state agencies’ cyber-security tools and policy, “we’re also looking at bringing in a consulting company to go and look over the inspector general just to make sure that we’re looking at everything possible.”
“I mean, I’d rather do too much at this point than not enough,” she said.
Haley was on the Isle of Palms to address the South Carolina Chamber of Commerce’s annual summit.
She did not mention the hack in her 18-minute speech, which featured the usual business cheerleading, union bashing and public shaming of her opponents in the state Legislature, and was bookended by standing ovations.
And even though she invited questions from the audience, there were none. “Was I that good again?” she asked.
Who’s to blame?
In Thursday’s newspaper, Marshall Heilman of Mandiant, the firm hired by the state to examine the breach and plug security holes, said the hacker tricked a user into opening a malicious file that took advantage of that vulnerable software, and that the agency’s computer login system did not have the strongest protections available to verify authorized users.
Asked Thursday about her statements last month in light of Heilman’s comments, Haley denied that she ever said the state’s employees are blameless.
“I didn’t say that,” she said after the Chamber luncheon. “What I’m saying is, we don’t know the whole story. I have said that I do not speak in absolutes because, if we know 95 percent of the story, there is still 5 percent out there.
“What I am saying is, as of now, everything that we’ve been told by Mandiant, which is the forensic company that Secret Service helped us bring in, everything that we’re being told up until now is that there is nothing that could’ve prevented this. I am not prepared to tell you that, because as long as 5 percent is out there, I don’t think we know the whole story.”
But Haley did not equivocate at her Oct. 29 press conference.
“This wasn’t an issue where anyone in the agency could’ve avoided it. This wasn’t an issue where anyone in state government could’ve done something to avoid it,” Haley said.
Instead, she focused blame on the hacker, “a sophisticated, intelligent criminal got into a database that is unbelievably creative on how they did it,” themes that continued the next day.
For his part, Harrell said he had no problem with the state withholding information about the breach for 16 days after it was discovered, because law enforcement requested the delay to protect the investigation.
But since the breach was made public, Harrell said, information about the episode has come out in dribs and drabs. One day, the public learned that 3.6 million Social Security numbers had been compromised. Then they learned that businesses also were at risk.
That was followed by this week’s revelation that 200,000 additional tax records had been breached, he said.
“I think it erodes the public’s confidence in the state’s ability to deal with the issue,” he said.
Rob Godfrey, Haley’s spokesman, said the governor and her staff held daily press conferences on the breach to get information to the public as they received it.
“The only other option was not to inform the public in real time, and that was never an option we considered,” he said. “The public deserved to know, and we will always inform them as soon as possible. That was true from the moment law enforcement gave us the go-ahead, and that remains true today.”
Harrell said he expects that the Legislature will have plenty of tough questions for those involved in the episode when it reconvenes in January. Questioning those people under oath in hearings is necessary to get to the bottom of what happened, determine who is responsible and prevent it from happening again, he said.
“I am angry just like the rest of the public is angry,” he said. “Realizing your personal information has been compromised by an entity that you are supposed to be able to trust with that information makes people angry, and rightfully so.”
Many have complained about the phone wait times, but on Thursday Haley praised the credit-monitoring companies for their service to South Carolina taxpayers.
“Experian and Dun and Bradstreet could not be any better in walking people through the process,” she said.
Experian is charging the state $12 million to cover every South Carolina taxpayer who signs up for its ProtectMyID service. Dun & Bradstreet Credibility Corp. offered to monitor the credit of all the hundreds of thousands of affected businesses for free, prompting Experian to offer a similar service.
Asked why the state has to pay for credit-monitoring for individuals but not businesses, Haley responded with a question of her own.
“Why don’t you ask, ‘Why wasn’t the Experian service $86 million, which is what it was supposed to be, and why is it $12 million?’?” Haley said. “It’s because I negotiated with them to do the $12 million cap.”
Glenn Smith contributed to this report. Reach Brendan Kearney at 937-5906 and follow him on Twitter at @kearney_brendan