Former SC CIO says logs should have caught hacker

News,Science and Technology

COLUMBIA, S.C. (AP) — The former chief information officer of South Carolina's revenue agency accepted partial responsibility Thursday for the cyber-theft of millions of taxpayers' personal data, even while questioning why his staff didn't catch it.

Mike Garon told a House panel that he knew nothing about the hacking when he was forced to resign Sept. 21, a week after the thief removed data from the agency's computer servers. His two-hour testimony marked the first time Garon has spoken about the debacle.

"I have no information on the details of the data breach," he said to start the meeting. "I wasn't there when they discovered it."

According to experts hired by the state, the hacker likely gained access through a phishing email that an employee clicked on Aug. 13. The thief then repeatedly roamed the system before compressing and removing the data of 6.4 million residents and businesses.

Garon said employees should have caught that activity through computer logs. Either his security procedures were inadequate or weren't followed, he said.

"If it was not possible to detect what was going on because the logging systems were not adequate, then I will take responsibility for that," he said, though he made clear he doesn't believe that's the case. "I'd expect that to show up in the logs. It should show up immediately. They should've discovered it within a matter of days."

Revenue spokeswoman Samantha Cheek disputed that later Thursday, saying the state-paid experts at Mandiant determined the activity would not have appeared suspicious because the hacker used stolen employee credentials.

Agency officials have repeatedly said they didn't learn of the breach until Oct. 10, after being notified by the U.S. Secret Service.

Garon said he found that hard to believe.

"I am flabbergasted it was not discovered," he said.

While legislators pondered conspiracy theories regarding the timing of Garon's departure, the agency's former chief security officer — who left in September 2011 — said Garon bears more responsibility than he's accepting.

Scott Shealy, whose job went unfilled until August 2012, said after the meeting that the IT department was short-staffed and the remaining employees probably lacked the training to properly review the logs. He blamed the high turnover on Garon's abusive management style — the reason Garon was given for his initial firing, before he was allowed to resign.

Garon acknowledged to legislators he "got very upset" with an employee days before his departure for not paying attention.

"I am a very forceful manager," he said, noting that he was fired despite receiving a positive evaluation that week. "I believe in doing things right."

He said he never understood the circumstances of his leaving.

"Yes, I admit I can debate very seriously," he said. "I always thought I had the respect of senior management. The director and I debated strongly many times."

Shealy, who has previously testified that Garon disregarded his security recommendations, said Garon did not debate, but rather degraded, employees.

Garon said that after Shealy left, he dispersed IT duties. He acknowledged taking longer to fill Shealy's job than he should. "I was trying to do many things at one time," he said.

Jim Earley, director of the state's IT division, has testified that he notified Garon and Revenue's current computer security chief Aug. 13 that malicious codes were being downloaded on 22 computers. Resetting passwords was among the division's recommendations, but that didn't happen.

Garon, now retired, said he doesn't remember being notified about that incident, but didn't doubt that occurred. He said the agency was attacked with phishing emails and viruses fairly common, but protocol was in place, and he would have assumed staff had followed it and remedied the situation.

Asked for his opinion on who's to blame, he said, "You want a person, and I won't pick out a person."

"There are many procedures and policies and people responsible," he continued. "Am I accountable for some aspect of this? Yes."

View article comments Leave a comment