COLUMBIA — Six months after a hacker stole the personal data of millions of South Carolina taxpayers, legislators are moving past finger-pointing hearings on who to blame and focusing on how to prevent another massive breach.
Meanwhile, the cost to taxpayers continues to climb. The September cybertheft of unencrypted data from the Department of Revenue’s servers represented the nation’s largest hacking of a state agency. The cleanup since state officials learned of the breach Oct. 10 from the U.S. Secret Service has cost $25 million so far.
Going forward, whatever it costs to fix the system and make it up to the 6.4 million people and businesses exposed is what the state needs to pay, Senate Finance Chairman Hugh Leatherman, R-Florence, said Tuesday.
“When the government requires citizens to give their information, it’s up to the government to protect that information,” agreed Senate Majority Leader Harvey Peeler, R-Gaffney. He added, however, “I want to make sure whatever we spend, we’re getting our money’s worth.”
A contract with Experian to provide credit monitoring – signed under a no-bid, emergency situation – accounted for the mishap’s largest single bill, at $12 million.
Both the House and Senate agree the state will pay for credit monitoring beyond the one year covered by the contract. Multiple companies are bidding for that future business.
As of Friday, 1.4 million people had signed up for Experian’s services since Gov. Nikki Haley announced the breach Oct. 26. Anyone else wishing to sign up has just one week to do so.
A bill moving through the Senate, aimed at centralizing computer security responsibilities across state and local governments, would extend monitoring by up to 10 years for everyone enrolled by the March 31 deadline. The measure also creates two agency divisions and two committees at an unknown cost, and provides a tax credit for those buying other credit protection. That is predicted to reduce revenue by $2.3 million.
Meanwhile, the House budget proposal sets aside $25 million to cover at least one year of additional monitoring, as well as any cybersecurity improvements approved by the Budget and Control Board.
A $3 million contract the board awarded to Deloitte & Touche out of Raleigh, N.C., took effect Friday. Its three-year effort to evaluate agencies’ computer systems and offer recommendations will begin with three agencies. A report on those three is due May 1 and must include budget estimates for suggested changes in 2013-14.
The company will evaluate 18 agencies over three years but should first determine the most immediate vulnerabilities.
“We have made significant progress toward securing data in state government and mapping out a long-term, holistic plan for IT security. But we’re not going to stop until we provide South Carolina taxpayers and citizens with the best protection at the least cost and least hassle to them,” Haley spokesman Rob Godfrey said.
Information on how it happened and who was affected came out piecemeal through Haley’s news conferences and sometimes-overlapping legislative hearings. Haley has sometimes needed to correct herself. That included her being adamant for weeks that no one was blame and nothing different could have been done.
That is, until she released the findings of Mandiant, computer experts paid $840,000 to, among other things, plug the security hole and determine what happened. On Nov. 20, Haley accepted the resignation of Revenue Director Jim Etter.
Mandiant determined two things could have prevented the hacking: the encryption of stored data or requiring more than one password to log into the system remotely.
Encryption of the agency’s data is set for completion in late April under a $4 million contract. The extra log-in step was put in place in January, at a cost of just $12,000, which covered the licensing and purchase of about 300 tokens that provide ever-changing passwords, according to the revenue agency.
The agency’s new director, Bill Blume, said he’s made securing confidential information a nonnegotiable requirement. He also changed the agency’s structure, one factor in the mishap. The agency’s top information-security officer now reports directly to Blume, ensuring recommendations aren’t dismissed as they had been by those below senior management.
Blume attributes the breach to human error, noting it all stemmed from an employee who clicked on a phishing email.
“We need to educate our staff better and train them better in respect to clicking on links that lead to a malicious problem,” he said in a phone interview Thursday.
Since Blume took the agency’s helm in January, 14 people have been disciplined for not abiding by the new focus on security, such as continuing to click on links despite recent training, with actions including unpaid suspensions and layoffs.
“We’re reluctant to do it, but when we put out that security is not negotiable, we expect compliance,” he said.