COLUMBIA, SC (WIS) - The South Carolina Department of Revenue had access to free network monitoring through the state's Internet technology department, but never chose to use it. That information came out Thursday in a letter from the Division of Information Technology director Jimmy Early to state Senator Vincent Sheheen, who is independently investigating the cyber attack.
The letter shows a list of municipal, county and state agencies who signed up for the network monitoring, but shows the South Carolina Department of Revenue chose to only have part of its network monitored. The report shows the networks SCDOR did not have the state monitor were the ones a foreign hacker stole 3.6 million South Carolina social security numbers from.
At least three hack attempts happened between August and mid-September. Investigators think the hacker stole the information during a successful mid-September attack. The state's Division of Information Technology notified SCDOR on October 10 that a hacker gained access to the revenue department's database, making off with millions of state tax payer information. It would take another 16 days before Governor Nikki Haley and the State Law Enforcement Division would notify the public of the breach and that social security numbers, credit card and debit card information was in the hands of a criminal. It took three weeks before more than 600,000 businesses in the state knew the hacker stole their information, as well.
The delay came at the request of law enforcement, according to SLED Chief Mark Keel. Keel said investigators were working to track the hacker down and releasing the news of the hack would have jeopardized the case. Keel said the hacker is in a foreign country, but wouldn't identify the country. Investigators have not said how close they are to tracking the hacker down.
The state Information Technology letter shows a list of agencies across the state that use the state's Cyber Security Network Monitoring program. The list includes: 9 municipalities, 5 public utility firms, 15 county governments, 82 of the state's 85 school districts and 54 state agencies. Most all state agencies included in the list hold personal tax payer information; some hold sensitive criminal and security data.
SCDOR did not fully implement the cyber monitoring until Oct. 20; a full 10 days after the state found out a hacker stole personal information from the department. DSIT director Jimmy Early included a note at the bottom of the letter concerning the SCDOR's Oct. 20 sign up, "Full network monitoring was instituted on 10/20/12. At the Department of Revenue's request, DSIT did monitor certain workstation activity at their Gervais Street location. DSIT was not asked to monitor the systems where the breached data was housed."
We do not know why SCDOR chose to not use the monitoring program, but have reached out to director James Etter for an explanation. As of this report, we have not heard back on a request for an interview.
SCDOR has 18 service center locations throughout the state, not including the agency's Columbia headquarters. That means 17 SCDOR locations' databases were not monitored under the state's Information Technology program.
SC INSPECTOR GENERAL REPORT
In April, SLED arrested a South Carolina Department of Health and Human Services employee after investigators found 228,435 Medicaid recipients' personal information was emailed to an employee's personal email account. That information, according to SLED, resulted in a security breach that disclosed personal medical information. SLED charged 36-year-old Christopher Lykes with the theft and said federal charges are likely.
Following the SCDHHS breach, Haley ordered then-Inspector General Jim Martin to conduct a "thorough" review of all state agency networks security and review who might has access to sensitive information. Martin started the investigation, but handed it off to Patrick Maley, the new Inspector General.
Maley finished his review of the SCDOR networks weeks ago, but Maley told WIS that he has not finalized his full report. "DOR had no findings from us," Maley said by phone Friday. Maley said he would not release his reports, but planned to summarize his findings in a letter to Haley and would not name the agencies in the letter, "My concern is putting the vulnerability of state agencies," Maley said.
Maley said he would release his letter to WIS on Friday, but reiterated that he would not include agency names in his letter.
SC CHIEF SECURITY OFFICER REPORT
The day before SLED and the governor announced the hack; the SC Information Sharing and Analysis Center held its annual "Cyber Security Awareness Seminar" in Columbia. The state's Chief Security Officer, James MacDougall led the seminar which included presentations from SLED, IBM, the FBI and other cyber security firms.
MacDougall's spent the past two years working to encrypt state agency databases.
MacDougall, in an article posted on his agency's Website weeks ago: https://sc-isac.sc.gov/content/encrypting-endpoints wrote about the importance of government agencies encrypting data to keep it out of the hands of hackers. MacDougall's also spent tax dollars through Homeland Security grants to push encryption on state agencies. In the article MacDougall wrote, "Encryption is one of my objectives...The project is not only for our agency, but I'm trying to get all healthcare and major law enforcement agencies on board."
The article outlines the percentages of data breaches into government databases since 2004:
*Federal Government: 6.81%
*State Government: 11.04%
*Local Government: 7.2%
Although the article is undated, it is readily available on the state's Information Sharing and Analysis Center Website.