COLUMBIA — South Carolina used the same standards as banks and other private institutions when it decided not to encrypt Social Security numbers and other information on a database of state tax returns that was accessed by a hacker, Gov. Nikki Haley said Monday.
Up to 3.6 million returns from as far back as 1998 might have been compromised by the international hacker, who likely penetrated the Department of Revenue’s system a month before the breach was detected by the U.S. Secret Service.
“The industry standard is most Social Security numbers are not encrypted. A lot of banks don’t encrypt,” Haley said. “It’s very complicated. It’s very cumbersome. There’s a lot of numbers involved with it.”
Investigators are still trying to determine how much information was taken by the hackers. Tax returns can include names, addresses, Social Security numbers and bank account information.
Online security experts recommend encryption of any sensitive data, which scrambles the information so it cannot be easily read by outsiders.
Encryption costs money and takes time, however, so governments and other organizations often don’t use it.
“You’d be surprised at the lack of security in some organizations. Sometimes they don’t have a lot of care around information that is very personal,” said David Kennedy, the founder of information security consulting company TrustedSec.
Haley said no one from the Revenue Department has been disciplined over the hacking incident.
Monday’s news conference didn’t release many new details about the hacking scheme. State Law Enforcement Division Chief Mark Keel said his agents are working with federal officials to pinpoint the person responsible and figure out exactly what information was taken and how it might be used.
Haley called the hacker a “sophisticated intelligent criminal” and said the way he obtained access to the tax returns was “unbelievably creative.”
Keel refused to go into details, but said almost all databases are vulnerable these days.
“I don’t think any governmental organization or corporate organization is immune from it. Unfortunately, it is the environment we live in today,” Keel said.
Kennedy and other security experts said that shouldn’t be the case. Especially troubling was how it took about a month from the time the hacker entered the system and accessed the data to the time the breach was discovered.
“You definitely should have been able to stop this attack,” Kennedy said. “And if they got around your system, you definitely should have been notified quicker the information was being extracted.”
Hackers are getting more sophisticated and are poking in systems for months to find out how vulnerable they are before they strike, said Tom Kellermann, the vice president of cyber security for computer security company TrendMicro.
South Carolina recently audited its database security after a state employee was charged with stealing Social Security numbers from more than 228,000 Medicaid patients in April. But Kellermann said that likely did nothing to stop the most recent attack.
The governor said she knows how South Carolina taxpayers feel because she was a victim of identity theft before. She and her husband discovered a maxed-out credit card under their names going to a different address.
“Trying to get that scrubbed off of our credit report took four or five years,” Haley said. “And in the process we had to deal with higher interest rates and we had to deal with credit issues and all of those things.”