Testifying before a Senate subcommittee investigating the Department of Revenue (DOR) data security breach on Tuesday, the DOR’s interim chief announced additional costs related to the incident.
William Blume told the panel that the DOR had signed a contract for $5 million with data security company EMC. The contract calls for EMC to deliver equipment to the DOR by January 28 and encrypt all data within 13 weeks.
The $5 million price tag is in addition to the $20 million that the DOR was loaned to deal with the security breach, which was announced in October, more than two weeks after it happened.
Find out what's happening in Columbiawith free, real-time updates from Patch.
No arrests have been made in the breach that affected nearly 4 million South Carolinians.
Find out what's happening in Columbiawith free, real-time updates from Patch.
Blume said that his primary focus since taking over has been to remake the organization. He presented the committee with a new organizational chart that he believes will improve the system of check and balances. Blume said his biggest concern is not technological know-how, but improving the DOR’s culture.
Blume said he’s posted job openings for Chief IT Officer, Chief IT Security Officer and IT Security Staffer.
Sen. Vincent Sheheen (D-Kershaw), an outspoken critic of the handling of the breach, said the damage has already been done and the DOR still has plenty of work to do. “There needs to be much greater transparency about what’s being done at the DOR,” Sheheen told Patch. “It’s a direct reflection of the management and it is very concerning.”
Testifying prior to Blume was the former data security chief at the DOR Scott Shealy. Shealy repeated much of the testimony he’d given to a similar committee in the House, when he noted that data security was “not a priority.”
Much like his appearance before the House committee, Shealy described an organization that was rife with dysfunction.
Under questioning from Sen. Darrell Jackson (D-Richland), Shealy described the DOR’s outsourcing procedures. Shealy said that, to his knowledge none of the DOR’s contractors were from outside the United States. But Shealy could not guarantee that the contractors did not outsource some of their work overseas.
Pressed by Jackson, Shealy was asked if he thought this presented a security risk. He did not say, but he did allow that is was “difficult” to audit the security levels of outsourcing companies.
Officials have confirmed that the hack was initiated outside of the United States.
The Deputy Director of the DOR Harry Cooper said that subsequent to the hack tighter controls have been placed on agency’s contractors.
Sheheen again found this development unsatisfactory. “There are some things that shouldn’t be outsourced and data security could very well be one of them. It’s a question of responsibility and accountability,” Sheheen said.
Keep up with all of Patch's coverage of South Carolina politics by following us on Facebook HERE and Twitter HERE.
Get more local news delivered straight to your inbox. Sign up for free Patch newsletters and alerts.