At a Thursday morning press conference in the statehouse, Sen. Vincent Sheheen (D-Kershaw) and Rep. James Smith (D-Richland) minced few words in describing Gov. Nikki Haley’s handling of the hack into the Department of Revenue (DOR) database. The hack exposed the private personal information, including Social Security Numbers, of as many as 5.7 million taxpayers and 700,000 businesses.
Sheheen referred to Haley’s response as the “Mother of All Government Dysfunction.” Smith said that Haley “has not been straight with the people of South Carolina.”
The legislators pointed to several discrepancies in what Haley has said and what turned out to be true. Most notably, the claim that “nothing could have been done “ to prevent the security breach.
At a Senate subcommittee hearing yesterday, outgoing DOR Director Jim Etter said that a dual password system would have prevented the hacker from accessing data. A dual password system is required by the IRS for agencies and costs $25,000 per year to install and maintain. It was implemented after the breach.
Etter also said that he asked for $14.4 million in security upgrades earlier this year, but it was denied by the House. Smith characterized that portion of Etter’s statement as “offensive.”
Sheheen and Smith also were critical of the failure to take advantage of a free monitoring service from the State Information Office and the fact that personal data was unencrypted when it is commonplace in other states to do so.
During yesterday’s testimony before the Senate subcommittee it also was learned that there was not a full-time data security chief at DOR for nearly a year.
Both Sheheen and Smith said that while the vacancy probably did not help matters, it could not be solely attributed for the hack.
“All states are vulnerable to cyber attack but the truth is that our security in South Carolina was so incompetent that we're even more vulnerable,” Sheheen said.
He and Smith expressed dismay at what’s taken place once the breach was made public.
Sheheen said, “We have not received information in a timely fashion. It was six weeks after the initial hack when we were first told and if the media wasn’t about to report it, I’m not sure when we would have found out about it.”
Smith noted that legislators had sent a request to DOR to review the department’s policy but were told the policy could not be provided for fear it would “compromise information.”
Smith also said that when legislators asked to see the contract the state has with Trustwave, a data security firm, the version they received was heavily redacted (see photo on right).
Smith and Sheheen called for three steps:
- An independent and comprehensive audit be conducted immediately of the DOR: to find out what really went wrong, why it went wrong, what should be done to fix it, and who ultimately bears the responsibility. Sheheen said the audit needs to be done outside of what SLED is currently investigating because its findings won’t necessarily be criminal in nature.
- For a period of least five years and hopefully longer, the legislature should pass a tax credit allowing every citizen and business in South Carolina a tax credit for the cost of obtaining the necessary credit protection.
- Reimburse any South Carolina citizen who suffers a theft of his or her assets as a result of the compromised data.
Gov. Haley’s spokesperson Rob Godfrey said she is not opposed to an independent audit, ”There has already been one, at the governor's request, but she has no objection to a second one. Gov. Haley looks forward to working with the General Assembly on ways to further protect and compensate affected taxpayers.”
Haley defeated Sheheen in the gubernatorial race in 2010.
Through Godfrey, Haley dismissed Sheheen’s assessment of her handling of the hack as purely political.
“While Sen. Vince Sheheen once again played the role of political opportunist this morning, the governor was in Cheraw announcing Schaeffler’s $40 million investment in our state and 190 more jobs for South Carolinians. Throughout Sen. Sheheen’s long career as a political insider, he has never uttered the word ‘cyber-security’ until this hacking incident occurred. We’re used to Sen. Sheheen’s lame attempts at political grandstanding. As Sen. Sheheen grandstands Gov. Haley will continue her diligent daily efforts to make sure every South Carolinian is protected and to prevent further attacks. Any time Sen. Sheheen and Columbia Democrats have a constructive idea for how to help, she’s ready to listen.”
See Patch's complete coverage of the hack HERE.