S.C. tax data hacked: What's known three weeks later

147875 articles in the archive and more added every day

S.C. tax data hacked: What's known three weeks later

By ANDREW SHAIN
The (Columbia) State
Published Saturday, November 17, 2012   |  708 Words  |  

COLUMBIA Details remain sketchy more than three weeks after S.C. officials revealed hackers swiped state tax information belonging to as many as 4.45 million consumers and businesses.

With Gov. Nikki Haley expected to release an investigative report this week, here is what is -- and is not -- known about the massive hacking attack and the latest on what is being done to prevent another cyber attack:

What do we know about what happened?

Not much.

Hackers duped an employee into opening a file with a program that allowed them to get log-in credentials to the department computers. The hackers probed the computers, starting in late August, before swiping the information in mid-September. The Secret Service told the state about the theft on Oct. 10.

Do we know what the thieves took?

Not exactly.

The state has not released information on what was stolen or from how many people. Haley said to be safe anyone who filed S.C. taxes since 1998 should assume anything on their tax return is in the hands of hackers. That encompasses 3.8 million consumers and 657,000 businesses. The hackers also snagged nearly 400,000 credit card numbers.

What could the thieves do with the tax information?

Practically anything.

They could get credit cards and loans, receive medical care and empty bank accounts. Hackers could net $360 million if they empty bank accounts belonging to only 1 percent of affected consumers and businesses, a former FBI agent said last week.

Has anyone's information been used?

No one knows.

Thieves could wait a year or more to strike. And even if a crook uses some taxpayers' financial information, pinpointing it to this theft will be difficult.

What kind of computer protection did the Revenue Department have?

The agency used some of common security measures -- two firewalls, email and website filters, and periodic virus scans. The department also hired Trustwave to check computer system security periodically to ensure the agency was in compliance with regulations on handling credit cards. Both measures failed to prevent or detect the theft.

Could the Revenue Department have taken other steps?

It seems so.

The department just partially used the Division of State Information Technology's free network-monitoring service. While that would not have stopped the breach, the state might have learned about the large amount of uploaded data sooner. The revenue agency also did not encrypt tax information sitting in servers.

What is being done?

Now, a lot.

The Revenue Department is encrypting data and using a special program nicknamed ''The Hand'' that will shut down computers infected by viruses or malware or uploading an usually amount of data. The department also is reviewing whether to reduce the number of employees who have access to its records from its current 250.

Doesn't anyone coordinate computer security among state agencies?

No, but look for that to change.

State agencies are allowed to handle their own computer systems. The Division of State Information Technology must market its services just like private-sector firms to state agencies. Last week, Haley ordered her 16 cabinet agencies to follow the state Information Technology division's security procedures. The state Inspector General is working with chief information officers at all state agencies on a plan to improve and coordinate computer security.

How much is the breach costing the state?

Nearly $14 million and counting.

South Carolina will pay Experian $12 million to provide a free year of credit monitoring to taxpayers. The state also is shelling out an estimated $741,000 to inform up to 1.5 million out-of-state residents who filed S.C. taxes since 1998; an estimated $500,000 for computer security firm Mandiant; $500,000 for five state agencies to program their computer systems to sync with the state Information Technology center; $160,000 for public relations firm Chernoff Newman to coordinate a news conference and place ads to consumers; and an estimated $100,000 for outside legal help from Columbia's Nelson Mullins law firm.