Dual-password system costing $25,000 likely would have stopped S.C. cyber breach
COLUMBIA — A massive breach of the S.C. Department of Revenue that has cost state taxpayers more than $14 million and counting likely would have been prevented by the implementation of a dual-password system costing $25,000, state senators learned Wednesday.
Marshall Heilman with cyber security firm Mandiant told senators that under such a system, agency employees would use their normal user names and passwords and then another password that changes with each login.
Heilman said the procedure likely would have stopped the breach.
The multiple-password system wasn’t in place at the time a hacker successfully attacked the Revenue Department, compromising personal information from more than 4.2 million current and former S.C. taxpayers.
James Etter, outgoing director of the tax-collection agency, told senators that the department is now spending $25,000 to implement the system.
Etter is resigning at the end of the year. “We wouldn’t be here if somebody made that decision to use the multifaceted authentication,” Anderson GOP Sen. Kevin Bryant said after the hearing. “I almost fell out of my chair when I came to that conclusion.”
Bryant is co-chairman of a newly formed Senate Finance subcommittee tasked with delving into the breach. The panel first met Wednesday.
In late August, the hacker used one Revenue employee’s credentials to log into a remote access service for the agency. The hacker then used that access and credentials to get into other agency systems and databases through the use of malicious software and hacking techniques, according to a Mandiant report.
Internal Revenue Service tax information guidelines for government agencies using remote access service state that: “Two-factor authentication is required whenever FTI (federal tax information) is being accessed from an alternate work location or if accessing FTI via the agency’s web portal.”
Asked if the lack of a dual-password system at the Revenue Department violated those IRS guidelines, agency spokeswoman Samantha Cheek said the requirement is among those for accessing federal tax information and the employee credentials used did not have that access. The Mandiant report said the employee credentials were used to leverage the user’s access rights and ultimately breach Revenue Department systems and databases.
An IRS spokesman could not be reached for comment on the federal remote access policies and whether the Revenue Department was in compliance.
Also at the hearing, it was revealed that the department has gone without a cyber security expert since September 2011.
Etter said the job’s salary of about $100,000 made it difficult to fill the position when qualified candidates can make twice as much in the private sector. Etter said the agency’s former chief information officer assumed the cybersecurity role while the agency tried to fill the position. The breach affecting millions of taxpayers occurred while the chief information officer, Mike Garon, pulled double duty.
He resigned less than three weeks before the Secret Service alerted state officials to the breach on Oct. 10. The Revenue Department has refused to say why he quit, calling it a personnel matter.
Bryant said after the hearing that it’s outrageous that the Revenue Department cybersecurity post sat unfilled for so long. “Why was someone not screaming from the rooftops ‘We’ve got to fill this position?’” he asked.
In another development, Etter said the Revenue Department priced the cost of encrypting all tax data, including Social Security numbers, at $5 million in 2006. That full encryption never happened, and the hacker gained access to millions of tax returns that contained unencrypted Social Security numbers. Etter and Gov. Nikki Haley have said the IRS didn’t require encryption of Social Security numbers, though officials in neighboring Georgia and North Carolina have said their revenue agencies encrypt all data. The S.C. Revenue Department is in the process of encrypting all Social Security numbers on tax returns.
Etter said Wednesday that his agency last year sought more than $14 million for computer upgrades that would have led to encryption of all data but said the House cut the funding in the budget. But the money was for upgrades to take place during the next five years, according to the agency’s budget proposal from last year. And the Revenue Department was able to come up with the money for the first year of implementation, almost $1.8 million, using existing funds. The cash for year two of the request, more than $4.3 million, was included in last year’s budget passed by the Legislature, according to House budget writing staff. But the money was subsequently cut when the 2012 fiscal year ended with a smaller-then-expected budget surplus, according to budget staff.
The Revenue Department’s request for the funding last year didn’t specifically mention security enhancements the funding would bring, instead emphasizing tax-collection improvements.
The $14 million-plus the breach has cost the state so far includes $12 million for credit monitoring and other services from Experian, outside legal counsel help from a PR firm and the cost of notifying former Palmetto State residents that their personal information was compromised.