As the investigation into the hack into the S.C. Department of Revenue progressed, some of Gov. Nikki Haley’s public statements about the breach necessarily evolved. But concerning the preventability of the hack and whether the state or an employee enabled it, the governor staked out positions at the beginning that she has now fully reversed.
On Oct. 29, Haley said the hack “wasn’t an issue where anyone in the agency could’ve avoided it.”
On Oct. 30, she reiterated that point.
“This was no issue with someone within the agency, this was no hole that was within DOR, this was nothing that something was left open by an employee,” she said.
“There was not one thing or one person in the Department of Revenue that could’ve avoided this hack,” she said minutes later.
On Nov. 8 Haley began to change her stance on the preventability question, saying she did not want to speak in absolutes until the outside investigators from Mandiant had 100 percent finished their report.
“What I am saying is, as of now, everything that we’ve been told by Mandiant ... everything that we’re being told up until now is that there is nothing that could’ve prevented this,” she said. “I am not prepared to tell you that, because as long as 5 percent is out there, I don’t think we know the whole story.”
On Tuesday, with the Mandiant report complete, Haley’s turnabout was also complete.
She said the compromised computer system had two vulnerabilities — it did not require dual verification for entry and it did not encrypt the Social Security numbers it held.
“Should we have done more?” she asked. “Yes, we should’ve done more than we did.”
Minutes later, she reiterated “what I want you to know.”
“Could South Carolina have done a better job?” she asked. “Absolutely, or we would not be standing here.”
Beyond the system vulnerabilities, the Mandiant report also confirmed that human error was to blame.
“A malicious (phishing) email was sent to multiple Department of Revenue employees,” the report said. “At least one Department of Revenue user clicked on the embedded link, unwittingly executed malware, and became compromised.”
On Oct. 29, Haley was asked if anyone in state government would be disciplined for the hack.
“No,” she said. “The person I hope’s disciplined is this international criminal that came in and hacked.”
On Nov. 8, Haley softened her stance on that question too.
“Is it time for the blame game? No, not yet. Not til you know the whole story,” she said.
On Tuesday, Haley announced she had accepted Department of Revenue Director Jim Etter’s resignation, effective at the end of the year.
“I think Jim and I came to an understanding that we ... need a new set of eyes on the Department of Revenue,” she said.
Notice about comments:
The Post and Courier is pleased to offer readers the enhanced ability to comment on stories. Some of the comments may be reprinted elsewhere in the site or in the newspaper. We ask that you refrain from profanity, hate speech, personal comments and remarks that are off point.