State officials did not do enough to prevent a cyber-attack at South Carolina's tax collection agency that exposed the personal data of nearly 4 million individual filers and 700,000 businesses, Gov. Nikki Haley said Tuesday.
Haley also said she accepted the resignation of Department of Revenue Director Jim Etter, effective Dec. 31.
"Could South Carolina have done a better job? Absolutely, or we would not be standing here," Haley said in releasing a report from Mandiant. The computer security firm was hired Oct. 12 to close the gap and determine what happened. That was two days after the Secret Service notified state officials of the breach.
The release of Mandiant's findings follow weeks of Haley saying no one was to blame and nothing differently could have been done.
Haley said Mandiant showed Revenue's system was vulnerable because it did not require dual verification for someone trying to access tax returns and did not encrypt Social Security numbers. But the Republican governor blamed the debacle on antiquated state software and outdated IRS safety guidelines.
"This is a new era in time. You can't work with 1970 equipment. You can't go with compliance standards of the federal government," Haley said. "Both are outdated."
The Revenue hacker stole data from returns filed electronically, as far back as 1998 but mostly since 2002. The cyber-thief took 3.3 million unencrypted bank account numbers, as well as 5,000 expired credit card numbers. The Social Security numbers of 1.9 million children on parents' returns were also compromised.
The cyber-attack, believed to be the biggest on a state tax agency in the nation's history, follows the theft of patient data from the state's Medicaid agency earlier this year. In that instance, an employee is accused of physically removing the data.
Last week, Haley ordered all of her 16 Cabinet agencies to use computer monitoring by the state information technology division. Revenue has been criticized for previously turning down its free services. Haley is also transferring people to the state IT division, so that an employee can monitor Cabinet agencies' systems around-the-clock. All Cabinet agencies must also use a Mandiant service, dubbed "the hand," designed to shut down a computer if data is being improperly transferred.
Mandiant identified precisely whose information was stolen. Those taxpayers will be notified by email or letter, Haley said.