Lawmakers want more information on website defacement
COLUMBIA — The recent defacement of the state workforce agency’s website is evidence that South Carolina is now a prime target for additional cyberattacks following the massive breach at the S.C. Department of Revenue, lawmakers leading investigations of the attack say.
“We’re at the top of the list for hackers to test,” said GOP House Majority Leader Bruce Bannister of Greenville, who chairs a House committee investigating the Revenue Department breach.
Anderson GOP Sen. Kevin Bryant, who leads a similar Senate panel, said the state can expect to see continued attacks like the one Dec. 22 that saw the homepage of the S.C. Department of Employment and Workforce replaced with an image stating, “This site was hacked.”
The agency’s website was back to normal a few hours later, and a spokeswoman for the department said no taxpayers’ personal information was affected, unlike the Revenue Department attack.
That breach of electronic tax forms at the agency announced in October resulted in the theft of records of 3.8 million individual taxpayers, 1.9 million dependents, 699,900 businesses, 3.3 million bank accounts and 5,000 now-expired credit card numbers. The attack marked the largest known breach of a state agency in U.S. history.
“The techno-criminals across the world know that S.C. agencies are vulnerable,” Bryant said. “I’m sure that we’re going to have multiple attempts.”
The latest cyberattack has Bryant and others skeptical that the defacement of the Workforce website was a mere prank.
He noted that when the Revenue Department breach was first announced, Gov. Nikki Haley claimed nothing could have been done to prevent the attack.
That explanation changed as more facts about the attack and the state’s existing cybersecurity practices emerged.
Haley later said the state didn’t do enough to protect taxpayers’ sensitive information, and she accepted the resignation of the department’s director.
“Now we’re a little skeptical when we hear no information was stolen, it’s just a website defacement,” Bryant said.
Haley spokesman Rob Godfrey said in response that the administration has provided taxpayers and media members with updates on the hacking in real time and continues to welcome any questions lawmakers have about it.
Workforce agency spokeswoman Mary-Kathryn Craft said the department’s website contains public information about the agency and the federal programs it administers. She said the defacement can be compared to graffiti on a wall. “No other site managed by DEW was accessed, defaced or altered in any way,” Craft said.
Rep. Bakari Sellers, a Denmark Democrat and member of the House hacking panel, said Haley has done an abysmal job of protecting citizens’ private information and he’s skeptical of the administration’s transparency on the issue.
“Unfortunately, we don’t have any certainty,” he said of the latest website attack.
Godfrey said Sellers is playing politics.
“We wish State Rep. Sellers would see this not as another self-serving political opportunity to attack the governor but as an opportunity to work with the governor to strengthen our state,” Godfrey said.
The State Law Enforcement Division is investigating both the breach at the tax agency and the website defacement but has said there is no known connection between the two events.
Godfrey said Haley’s deputy chief of staff, Ted Pitts, is scheduled to testify before both legislative hacking panels when they meet Thursday, the first time anybody within Haley’s office will appear before the committees.
Bryant said he wants more information on the website attack, but Bannister said the defacement is unlikely to be a topic of his panel’s meeting due to uncertainty about the availability of workforce agency officials to testify.
Bannister said he has not seen anything to doubt the workforce agency’s explanation about the website defacement.
He expects the House hacking panel to meet at least four more times in the coming weeks, after which the panel and the similar Senate committee will offer up proposed legislation impacting the state’s cybersecurity procedures.