Dems Call For Independent Investigation of SCDOR Hack, Creation of Fund

Sen. Vincent Sheheen and Rep. James Smith blast Haley's management before, during and after the massive SCDOR computer hack.

At a Thursday morning press conference in the statehouse, Sen. Vincent Sheheen (D-Kershaw) and Rep. James Smith (D-Richland) minced few words in describing Gov. Nikki Haley’s handling of the hack into the Department of Revenue (DOR) database. The hack exposed the private personal information, including Social Security Numbers, of as many as 5.7 million taxpayers and 700,000 businesses.

Sheheen referred to Haley’s response as the “Mother of All Government Dysfunction.” Smith said that Haley “has not been straight with the people of South Carolina.”

The legislators pointed to several discrepancies in what Haley has said and what turned out to be true. Most notably, the claim that “nothing could have been done “ to prevent the security breach.

At a Senate subcommittee hearing yesterday, outgoing DOR Director Jim Etter said that a dual password system would have prevented the hacker from accessing data. A dual password system is required by the IRS for agencies and costs $25,000 per year to install and maintain. It was implemented after the breach.

Etter also said that he asked for $14.4 million in security upgrades earlier this year, but it was denied by the House. Smith characterized that portion of Etter’s statement as “offensive.”

Sheheen and Smith also were critical of the failure to take advantage of a free monitoring service from the State Information Office and the fact that personal data was unencrypted when it is commonplace in other states to do so.

During yesterday’s testimony before the Senate subcommittee it also was learned that there was not a full-time data security chief at DOR for nearly a year. 

Both Sheheen and Smith said that while the vacancy probably did not help matters, it could not be solely attributed for the hack.

“All states are vulnerable to cyber attack but the truth is that our security in South Carolina was so incompetent that we're even more vulnerable,” Sheheen said.

He and Smith expressed dismay at what’s taken place once the breach was made public.

Sheheen said, “We have not received information in a timely fashion. It was six weeks after the initial hack when we were first told and if the media wasn’t about to report it, I’m not sure when we would have found out about it.”

Smith noted that legislators had sent a request to DOR to review the department’s policy but were told the policy could not be provided for fear it would “compromise information.”

Smith also said that when legislators asked to see the contract the state has with Trustwave, a data security firm, the version they received was heavily redacted (see photo on right).

Smith and Sheheen called for three steps:

  • An independent and comprehensive audit be conducted immediately of the DOR: to find out what really went wrong, why it went wrong, what should be done to fix it, and who ultimately bears the responsibility. Sheheen said the audit needs to be done outside of what SLED is currently investigating because its findings won’t necessarily be criminal in nature.
  • For a period of least five years and hopefully longer, the legislature should pass a tax credit allowing every citizen and business in South Carolina a tax credit for the cost of obtaining the necessary credit protection.

  • Reimburse any South Carolina citizen who suffers a theft of his or her assets as a result of the compromised data.

Gov. Haley’s spokesperson Rob Godfrey said she is not opposed to an independent audit, ”There has already been one, at the governor's request, but she has no objection to a second one. Gov. Haley looks forward to working with the General Assembly on ways to further protect and compensate affected taxpayers.”

Haley defeated Sheheen in the gubernatorial race in 2010.

Through Godfrey, Haley dismissed Sheheen’s assessment of her handling of the hack as purely political.

“While Sen. Vince Sheheen once again played the role of political opportunist this morning, the governor was in Cheraw announcing Schaeffler’s $40 million investment in our state and 190 more jobs for South Carolinians. Throughout Sen. Sheheen’s long career as a political insider, he has never uttered the word ‘cyber-security’ until this hacking incident occurred. We’re used to Sen. Sheheen’s lame attempts at political grandstanding. As Sen. Sheheen grandstands Gov. Haley will continue her diligent daily efforts to make sure every South Carolinian is protected and to prevent further attacks. Any time Sen. Sheheen and Columbia Democrats have a constructive idea for how to help, she’s ready to listen.”

See Patch's complete coverage of the hack HERE.

Keep up with all of Patch's coverage of South Carolina politics by following us on Facebook HERE and Twitter HERE.

Mike N. November 29, 2012 at 09:12 PM
It's no big mystery. The government was doing its best not to waste taxpayer money. The certainty of this sort of hack was clear only to those involved in that branch of law enforcement. Any request for this $15,000 dual password system or $5 million to encrypt SSNs would have been summarily dismissed by legislators as unnecessary. A Monday morning quarterback has a clear view of the situtation. Also what everyone doesn't realize is that the dual passwords and SSN encryptions alone would not have prevented this type of data theft from a determined attacker. Businesses lose millions of dollars each month from looted business bank accounts that were protected by dual passwords. And since the attacker had full control of the same system with authorized access, by definition they would also have full access to any SSN decryption method. Only the 3rd leg of security that is being added by South Carolina would have prevented this - a realtime network monitor to detect the unauthorized flow of data out of the database. The correct analogy is that lions go after the slowest zebras in the herd. Do any other states have any of the 3 protection systems that South Carolina is now getting?
rb November 30, 2012 at 01:28 AM
Gov. Haley...thanks for closing that barn door after the cow got out.
mesius November 30, 2012 at 03:45 PM
Well I guess something needed to be done urgently, to prevent further damage. Sheenan seems to be rather focusing on having a good reputation by announcing Schaefflers investment. At least in this economical downturns some companies still create jobs. I guess politicians should talk less and also focus on supplying more jobs to the public.


More »
Got a question? Something on your mind? Talk to your community, directly.
Note Article
Just a short thought to get the word out quickly about anything in your neighborhood.
Share something with your neighbors.What's on your mind?What's on your mind?Make an announcement, speak your mind, or sell somethingPost something
See more »