Haley defends not encrypting taxpayer information

South Carolina Gov. Nikki Haley and State Law Enforcement Division Chief Mark Keel speak to the media about how a hacker gained access to 3.6 million tax returns from a state computer system in Columbia.

COLUMBIA — South Carolina used the same standards as banks and other private institutions when it decided not to encrypt Social Security numbers and other information on a database of state tax returns that was accessed by a hacker, Gov. Nikki Haley said Monday.


Up to 3.6 million returns from as far back as 1998 might have been compromised by the international hacker, who likely penetrated the Department of Revenue’s system a month before the breach was detected by the U.S. Secret Service.

“The industry standard is most Social Security numbers are not encrypted. A lot of banks don’t encrypt,” Haley said. “It’s very complicated. It’s very cumbersome. There’s a lot of numbers involved with it.”

Investigators are still trying to determine how much information was taken by the hackers. Tax returns can include names, addresses, Social Security numbers and bank account information.

Online security experts recommend encryption of any sensitive data, which scrambles the information so it cannot be easily read by outsiders.

Encryption costs money and takes time, however, so governments and other organizations often don’t use it.

“You’d be surprised at the lack of security in some organizations. Sometimes they don’t have a lot of care around information that is very personal,” said David Kennedy, the founder of information security consulting company TrustedSec.

Haley said no one from the Revenue Department has been disciplined over the hacking incident.

Monday’s news conference didn’t release many new details about the hacking scheme. State Law Enforcement Division Chief Mark Keel said his agents are working with federal officials to pinpoint the person responsible and figure out exactly what information was taken and how it might be used.

Haley called the hacker a “sophisticated intelligent criminal” and said the way he obtained access to the tax returns was “unbelievably creative.”

Keel refused to go into details, but said almost all databases are vulnerable these days.

“I don’t think any governmental organization or corporate organization is immune from it. Unfortunately, it is the environment we live in today,” Keel said.

Kennedy and other security experts said that shouldn’t be the case. Especially troubling was how it took about a month from the time the hacker entered the system and accessed the data to the time the breach was discovered.

“You definitely should have been able to stop this attack,” Kennedy said. “And if they got around your system, you definitely should have been notified quicker the information was being extracted.”

Hackers are getting more sophisticated and are poking in systems for months to find out how vulnerable they are before they strike, said Tom Kellermann, the vice president of cyber security for computer security company TrendMicro.

South Carolina recently audited its database security after a state employee was charged with stealing Social Security numbers from more than 228,000 Medicaid patients in April. But Kellermann said that likely did nothing to stop the most recent attack.

The governor said she knows how South Carolina taxpayers feel because she was a victim of identity theft before. She and her husband discovered a maxed-out credit card under their names going to a different address.

“Trying to get that scrubbed off of our credit report took four or five years,” Haley said. “And in the process we had to deal with higher interest rates and we had to deal with credit issues and all of those things.”


COLUMBIA — By midday Monday, almost a half-million South Carolinians had jammed phone lines seeking credit protection from the massive data breach the state announced Friday afternoon.

About 300 telephone responders were on duty to help people sign up for protection after the breach that exposed 3.6 million Social Security numbers on file with the revenue department.

Since Friday, there have been at least 455,000 calls to a help center and 154,000 sign-ups for protection, officials said Monday morning. The average waiting time is 12 minutes, Gov. Nikki Haley said. She emphasized that taxpayers have until the end of January to use the service.

In addition to credit monitoring and fraud resolution, the state will provide $1 million in theft insurance to cover the cost of additional investigations for anyone who is affected by the breach. Residents can go to www.protectmyid.com/scdor to register for protection and type in SCDOR123.

Others who have filed a South Carolina tax return since 1998 can call (866) 578-5422.

– Morris News Service



Sat, 12/16/2017 - 00:31

Rants and raves

Fri, 12/15/2017 - 23:54

Empty Stocking Fund List