Scott Shealy told a South Carolina House committee investigating hacked tax records at the Revenue Department that he spoke to his bosses for several years about how information should be encrypted and employees should be required to enter a code or scan a thumbprint to access the information.
Computer security experts said either step could have lessened the impact or stopped the hacker who accessed 4 million state tax returns and likely stole Social Security numbers, bank account information and other sensitive data.
Shealy said Mike Garon, the Department of Revenue’s former chief information officer, was a micromanager who didn’t listen to the advice of those under him.
“As a security officer, I was unable to adequately perform my job function because I did not have the support of my CIO,” said Shealy, who spoke publicly for the first time since leaving the agency to work elsewhere in state government a year before the hacking in September 2011.
Garon resigned in September, while the hacker was accessing the agency’s computer and a month before the security breach was revealed. The agency has refused to say why Garon quit, but said it was unrelated to the hacking. He has not spoken publically.
Phone numbers for Garon had been disconnected Thursday. The Revenue Department also refused to address Shealy’s allegations, instead releasing a statement that read: “As an agency we are focusing on what we can do in the future to safeguard taxpayer data to help prevent similar occurrences.”
Committee member and House Minority Leader Harry Ott said he thinks the agency tried to save money by waiting a year to fill Shealy’s job and that it ended up costing the agency a lot more.
“In an effort to save pennies, we’re going to spend millions of taxpayer dollars,” said Ott, D-St. Matthews.
Shealy said the agency also cut down on efforts to teach employees how to be careful with their computers and prevent cyber scams. An outside investigation found the hacker likely was first able to enter Revenue’s computer system by getting an employee to click on a malicious link and spent a month undetected, setting up other ways to get in the system before stealing the data.
It didn’t seem like a clever or hard-to-detect scheme, said Shealy, who added that the incident could have been even worse if the hacker managed to get into a different system where Revenue employees can access Department of Motor Vehicle information or databases of licensed employees to help in audits.
“There is more information within that organization than just tax information, or taxpayer information,” Shealy said. “It requires a high level of security and a high level of management and oversight. And that fell very short.”