COLUMBIA, S.C. (AP) — The state Department of Revenue's deputy director acknowledged Thursday his agency was notified in August of a computer security breach, but the response clearly wasn't adequate since a hacker stole millions of taxpayers' personal data a month later.
Harry Cooper told a House oversight panel that officials received email and phone notifications that 22 computers had been infected. He said employees used software designed to wipe those machines clean, as per agency procedure. House members noted that obviously wasn't enough.
"That's correct; it was inadequate," Cooper said.
The hacker was able to log in remotely and roam the system for weeks before taking unencrypted Social Security and bank account numbers from tax filings dating to 1998 from the agency's computer servers. It wasn't until mid-October that state officials realized taxpayers' data had been compromised, and that took notification from the U.S. Secret Service.
House Majority Leader Bruce Bannister said after the meeting his biggest frustration now is the agency's slowness to act since the hacking.
The three top recommendations from Mandiant, the computer security firm hired in October, were to encrypt stored data, create dual authentication for users logging in remotely, and segment the database to limit access to what employees need to see.
Cooper and the agency's interim chief information officer said work on the dual password system began Dec. 19 and should be completed by month's end — at a cost of just $12,000. Work on the other priority recommendations has yet to start. The agency hopes to hire an encryption contractor Friday and have that completed in April. Segmenting the database will depend on who's selected to encrypt, Cooper said.
Revenue has been criticized for not using the state information technology division's computer monitoring services — which are offered but not required — before the hacking. While the IT division's monitors weren't on revenue's servers, the agency was using the service on the desktop computers that were initially infected after an employee clicked on a phishing email.
State IT division director Jim Earley said revenue's former chief information officer and current computer security chief were told Aug. 13 that malicious codes were being downloaded on 22 computers. Resetting passwords was among the division's recommendations.
Revenue officials didn't do that. Earley told legislators he's unsure if that would've prevented the data theft.
But requiring two passwords to log into the system remotely definitely would have prevented the nation's largest hacking of a state agency, Cooper acknowledged.
Last week, the agency's former computer security chief, Scott Shealy, testified that his bosses wouldn't listen to his recommendations to encrypt stored data and require dual log-in certification. Shealy left that job in September 2011, and it remained vacant until Aug. 2 — days before the hacker gained access.
House members expressed disbelief that it took until March for Revenue to even advertise the job. Cooper testified that while Shealy's post went unfilled, his duties were handled by other employees, including the former CIO.
Cooper also said he could not address whether Shealy made recommendations that were ignored. He said no such discussion reached his level. Cooper's twice-weekly meetings with administrators included Shealy's boss, not Shealy, he said.
"It's quite apparent to me that not having a chief of security that reports to the operational team is a problem," said Rep. Harry Ott, D-St. Matthews.
Cooper assured the committee that the computer security chief is now part of the executive team.
Former chief information officer Mike Garon resigned in September. House members said the timing seemed suspicious, but Cooper repeatedly said Garon's departure had nothing to do with the hacking.
The committee wants to hear from Garon, but Bannister said staff has been unable to find him. The Associated Press also has been unable to reach him.