Haley does turn-about on hacking preventability

Brian Cassella/Chicago Tribune/MCT Gov. Nikki Haley said Tuesday the compromised computer system had two vulnerabilities — it did not require dual verification for entry and it did not encrypt the Social Security numbers it held.

As the investigation into the hack into the S.C. Department of Revenue progressed, some of Gov. Nikki Haley’s public statements about the breach necessarily evolved. But concerning the preventability of the hack and whether the state or an employee enabled it, the governor staked out positions at the beginning that she has now fully reversed.

On Oct. 29, Haley said the hack “wasn’t an issue where anyone in the agency could’ve avoided it.”

On Oct. 30, she reiterated that point.

“This was no issue with someone within the agency, this was no hole that was within DOR, this was nothing that something was left open by an employee,” she said.

“There was not one thing or one person in the Department of Revenue that could’ve avoided this hack,” she said minutes later.

On Nov. 8 Haley began to change her stance on the preventability question, saying she did not want to speak in absolutes until the outside investigators from Mandiant had 100 percent finished their report.

“What I am saying is, as of now, everything that we’ve been told by Mandiant ... everything that we’re being told up until now is that there is nothing that could’ve prevented this,” she said. “I am not prepared to tell you that, because as long as 5 percent is out there, I don’t think we know the whole story.”

On Tuesday, with the Mandiant report complete, Haley’s turnabout was also complete.

She said the compromised computer system had two vulnerabilities — it did not require dual verification for entry and it did not encrypt the Social Security numbers it held.

“Should we have done more?” she asked. “Yes, we should’ve done more than we did.”

Minutes later, she reiterated “what I want you to know.”

“Could South Carolina have done a better job?” she asked. “Absolutely, or we would not be standing here.”

Beyond the system vulnerabilities, the Mandiant report also confirmed that human error was to blame.

“A malicious (phishing) email was sent to multiple Department of Revenue employees,” the report said. “At least one Department of Revenue user clicked on the embedded link, unwittingly executed malware, and became compromised.”

On Oct. 29, Haley was asked if anyone in state government would be disciplined for the hack.

“No,” she said. “The person I hope’s disciplined is this international criminal that came in and hacked.”

On Nov. 8, Haley softened her stance on that question too.

“Is it time for the blame game? No, not yet. Not til you know the whole story,” she said.

On Tuesday, Haley announced she had accepted Department of Revenue Director Jim Etter’s resignation, effective at the end of the year.

“I think Jim and I came to an understanding that we ... need a new set of eyes on the Department of Revenue,” she said.

Comments { }

Postandcourier.com is pleased to offer readers the enhanced ability to comment on stories. We expect our readers to engage in lively, yet civil discourse. Postandcourier.com does not edit user submitted statements and we cannot promise that readers will not occasionally find offensive or inaccurate comments posted in the comments area. Responsibility for the statements posted lies with the person submitting the comment, not postandcourier.com. If you find a comment that is objectionable, please click "report abuse" and we will review it for possible removal. Please be reminded, however, that in accordance with our Terms of Use and federal law, we are under no obligation to remove any third party comments posted on our website. Read our full Terms and Conditions.