Haley defends not encrypting taxpayer information

  • Follow Metro

COLUMBIA — South Carolina used the same standards as banks and other private institutions when it decided not to encrypt Social Security numbers and other information on a database of state tax returns that was accessed by a hacker, Gov. Nikki Haley said Monday.

South Carolina Gov. Nikki Haley and State Law Enforcement Division Chief Mark Keel speak to the media about how a hacker gained access to 3.6 million tax returns from a state computer system in Columbia.  JEFFREY COLLINS/ASSOCIATED PRESS
South Carolina Gov. Nikki Haley and State Law Enforcement Division Chief Mark Keel speak to the media about how a hacker gained access to 3.6 million tax returns from a state computer system in Columbia.

Up to 3.6 million returns from as far back as 1998 might have been compromised by the international hacker, who likely penetrated the Department of Revenue’s system a month before the breach was detected by the U.S. Secret Service.

“The industry standard is most Social Security numbers are not encrypted. A lot of banks don’t encrypt,” Haley said. “It’s very complicated. It’s very cumbersome. There’s a lot of numbers involved with it.”

Investigators are still trying to determine how much information was taken by the hackers. Tax returns can include names, addresses, Social Security numbers and bank account information.

Online security experts recommend encryption of any sensitive data, which scrambles the information so it cannot be easily read by outsiders.

Encryption costs money and takes time, however, so governments and other organizations often don’t use it.

“You’d be surprised at the lack of security in some organizations. Sometimes they don’t have a lot of care around information that is very personal,” said David Kennedy, the founder of information security consulting company TrustedSec.

Haley said no one from the Revenue Department has been disciplined over the hacking incident.

Monday’s news conference didn’t release many new details about the hacking scheme. State Law Enforcement Division Chief Mark Keel said his agents are working with federal officials to pinpoint the person responsible and figure out exactly what information was taken and how it might be used.

Haley called the hacker a “sophisticated intelligent criminal” and said the way he obtained access to the tax returns was “unbelievably creative.”

Keel refused to go into details, but said almost all databases are vulnerable these days.

“I don’t think any governmental organization or corporate organization is immune from it. Unfortunately, it is the environment we live in today,” Keel said.

Kennedy and other security experts said that shouldn’t be the case. Especially troubling was how it took about a month from the time the hacker entered the system and accessed the data to the time the breach was discovered.

“You definitely should have been able to stop this attack,” Kennedy said. “And if they got around your system, you definitely should have been notified quicker the information was being extracted.”

Hackers are getting more sophisticated and are poking in systems for months to find out how vulnerable they are before they strike, said Tom Kellermann, the vice president of cyber security for computer security company TrendMicro.

South Carolina recently audited its database security after a state employee was charged with stealing Social Security numbers from more than 228,000 Medicaid patients in April. But Kellermann said that likely did nothing to stop the most recent attack.

The governor said she knows how South Carolina taxpayers feel because she was a victim of identity theft before. She and her husband discovered a maxed-out credit card under their names going to a different address.

“Trying to get that scrubbed off of our credit report took four or five years,” Haley said. “And in the process we had to deal with higher interest rates and we had to deal with credit issues and all of those things.”


COLUMBIA — By midday Monday, almost a half-million South Carolinians had jammed phone lines seeking credit protection from the massive data breach the state announced Friday afternoon.

About 300 telephone responders were on duty to help people sign up for protection after the breach that exposed 3.6 million Social Security numbers on file with the revenue department.

Since Friday, there have been at least 455,000 calls to a help center and 154,000 sign-ups for protection, officials said Monday morning. The average waiting time is 12 minutes, Gov. Nikki Haley said. She emphasized that taxpayers have until the end of January to use the service.

In addition to credit monitoring and fraud resolution, the state will provide $1 million in theft insurance to cover the cost of additional investigations for anyone who is affected by the breach. Residents can go to www.protectmyid.com/scdor to register for protection and type in SCDOR123.

Others who have filed a South Carolina tax return since 1998 can call (866) 578-5422.

– Morris News Service

Comments (0) Add comment
ADVISORY: Users are solely responsible for opinions they post here and for following agreed-upon rules of civility. Posts and comments do not reflect the views of this site. Posts and comments are automatically checked for inappropriate language, but readers might find some comments offensive or inaccurate. If you believe a comment violates our rules, click the "Flag as offensive" link below the comment.
jic 10/30/12 - 07:44 am
sorry nikki

In the world of computers, social security numbers are a well-known target for identity theft by hackers. Businesses and ALL government agencies have a moral responsibility to their customers and citizens to protect our privacy. Haley's comments are flippant at best when she should be apologizing. Cost for encryption is a nonissue and she knows it.

soapy_725 10/30/12 - 08:53 am
Government and businesses have no

moral responsibility to anyone. This is not a reality show. When they fail to use due caution, they say "mistake". When you fail to use due caution you end up in jail or broke.

Lets see you sue SC for your loss? There are no good hands on your side in this case.

soapy_725 10/30/12 - 08:57 am
Everone wants you SS number.....

Doctors, hospitals and it seems every piece of information has to have SS numbers. Clearly printed on the SS Card is "Not to be used for identification". The excuse is that they need to be able to collect their bills.

And it is part of you "Personal Privacy Guarantee". Yea. If the government can be hacked, good luck. You talk about a weapon of mass destruction. Lets start transferring IRA and 401K funds to Arab banks via EFT's and SS account numbers.

Back to Top
Search Augusta jobs
Top headlines
Augusta man sues city, sheriff officers over alleged tasing
An Augusta man who said he suffered a skull fracture after being tased in jail has filed suit against Augusta and two Richmond County sheriff's officers.