State officials did not do enough to prevent a cyber-attack at South Carolina's tax collection agency that exposed the personal data of nearly 4 million individual filers and 700,000 businesses, Gov. Nikki Haley said Tuesday.
Haley also said she accepted the resignation of Department of Revenue Director Jim Etter, effective Dec. 31.
"Could South Carolina have done a better job? Absolutely, or we would not be standing here," Haley said in releasing a report from Mandiant. The computer security firm was hired Oct. 12 to close the gap and determine what happened. That was two days after the Secret Service notified state officials of the breach.
The release of Mandiant's findings follow weeks of Haley saying no one was to blame and nothing differently could have been done.
Haley said Mandiant showed the revenue department's system was vulnerable because it did not require dual verification for someone trying to access tax returns and did not encrypt Social Security numbers. But the Republican governor blamed the debacle on antiquated state software and outdated IRS security guidelines.
"This is a new era in time," Haley said. "You can't work with 1970 equipment. You can't go with compliance standards of the federal government. Both are outdated."
The hacker stole data from returns filed electronically, as far back as 1998, but mostly since 2002. The cyber-thief took 3.3 million unencrypted bank account numbers, as well as 5,000 expired credit card numbers. The Social Security numbers of 1.9 million children on parents' returns were also compromised.
Haley said 3.8 million individual tax filers and 699,000 businesses should assume their entire reports were accessed.
The cyber-attack, believed to be the largest on a state tax agency in the nation's history, follows the theft of patient data from the state's Medicaid agency earlier this year. In that instance, an employee is accused of physically removing the data.
Last week, Haley ordered all of her 16 Cabinet agencies to use computer monitoring by the state information technology division. The revenue department has been criticized for previously turning down its free services. Haley is also transferring personnel to the state IT division, so that an employee can monitor Cabinet agencies' systems around the clock. All Cabinet agencies must also use a Mandiant service, dubbed "the hand," designed to shut down a computer if data is being improperly transferred.
Mandiant has identified precisely whose information was stolen, and those taxpayers will be notified by email or letter, Haley said.
The governor also added that Etter's resignation doesn't mean he is to blame.
"Jim and I came to an understanding," she said. "We need a new set of eyes at the Department of Revenue."
Bill Blume, executive director of the state's Public Employee Benefit Authority, will replace Etter. Blume's replacement has not been announced.
The cost of the state's response has exceeded $14 million. That includes $12 million to the Experian credit-monitoring agency to cover taxpayers who sign up — half of which is due next month — and nearly $800,000 for the extra security measures ordered last week.
The Revenue Department has estimated spending $500,000 for Mandiant, $100,000 for outside attorneys and $150,000 for a public relations firm. But those costs will depend on the total hours those firms eventually spend on the issue. The agency also expects to spend $740,000 to mail letters to an estimated 1.3 million out-of-state taxpayers.