Doubts remain about status of S.C.'s data security

• South Carolina chief information security officers think state's cyber security posture is poor
• State's inspector general recommends creating a cyber security program
• About 3.8 million Social Security numbers were exposed

COLUMBIA, S.C. — Nearly two months after publicly disclosing a massive data breach at the South Carolina Department of Revenue, state officials are unsure just what kind of weaknesses exist in state agencies' cyber security.

The State Budget and Control Board — the five-member board that oversees the state's administrative agency as well as state financial decisions — took the first step to find out Wednesday when it authorized hiring a consultant to craft a bid for a firm to assess the state's security and develop a statewide cyber security firm.

The board also approved a $20.1 million loan to the Revenue Department to handle some of the state's response to the hacking.

"Us moving fast after this crisis was very, very important," Gov. Nikki Haley told the board. "Every other agency is still getting pinged at this point. We are not exempt from this. Waiting on the legislative session to decide on an RFP (request for proposal) is allowing more risk."

Marcia Adams, executive director of the State Budget and Control Board, said the vendor selected to help create a statewide cyber security plan first will look at each agency to assess its security.

"We really don't know what we have in the state," Adams said of cyber security at each agency.

State Inspector General Patrick Maley told the panel about his report on the status of cyber security among agencies, which relied on opinions of 18 chief information officers, officials with the state's Division of Information Technology and others to conclude the overall security for the state is "less than adequate."

Maley has said his investigation into the hacking shows that many state agency chief information officers, the officials who run agency computer networks, believe the state's cyber security posture is poor.

He recommends that the state create a cyber security program, establish the position of chief information security officer, and create an entity to accept responsibility for the security program and the authority to create policies.

About 100 agencies, commissions, boards, colleges and universities operate computers in state government, but there is no centralized control of their security and operations.

Seeking an expert

State Sen. Hugh Leatherman, chairman of the Senate Finance Committee and a member of the board, said he wants to be sure that expertise was used in finding the right firm to assess agencies and develop a statewide plan.

Since the breach was disclosed by Haley on Oct. 26, the Department of Revenue has moved to fix its primary vulnerabilities, encrypting all its data and installing a dual-password system. In addition, the agency is now using a computer network monitoring system offered for free by the Information Technology office.

The hacking exposed 3.8 million Social Security numbers, 3.3 million bank account numbers and information from almost 700,000 businesses.

The first intrusion into the Revenue Department's computers began in August, unnoticed by any officials operating its computer system.

It wasn't until Oct. 10 that the computer crimes office of the U.S. Secret Service discovered that a foreign hacker had taken a database from the department's computers, exposing taxpayers' Social Security numbers and credit and debit card numbers. It was one of the largest computer breaches in the state or nation.

Three more breaches followed — the first, another "browse" on Sept. 3, and then two more, concluding with the data theft on Sept. 13, said James Etter, former director of the Department of Revenue.

A Secret Service agent, Mike Williams, said the agency's computer crimes office first uncovered the intrusion and notified state authorities.

Although the U.S. Secret Service and the South Carolina Law Enforcement Division have been investigating the hacking since Oct. 10, no arrests have been announced.

The $20.1 million loan to the Department of Revenue will come from the state Insurance Reserve Fund and is to be repaid by next October.

Among the expenses the $20.1 million loan to the Department of Revenue will cover are a $12 million contract with Experian, which is providing credit monitoring for a year; $5.6 million for encryption and dual passwords at the Department of Revenue; and $20,000 for the electronic searching of taxpayers living outside South Carolina.