S.C. revenue agency says business info also hacked
COLUMBIA — South Carolina companies also fell victim to an international computer hacker, the state revenue director said Tuesday.
Director Jim Etter told senators that companies’ state identification numbers were in the accessed file, but he didn’t yet know the scope.
Those comments came toward the end of a several-hour grilling from Senate Finance Committee members. When he earlier said he’d find out the effect on small businesses and report back later, Senate Majority Leader Harvey Peeler slowly shook his head and said, “That’s not acceptable. I can’t go back to Gaffney and say, ‘Trust me.”’
Etter was briefing senators on Friday’s announcement that up to 3.6 million returns from as far back as 1998 may have been compromised.
“My constituents are close to panic. They’re frightened. They’re panicked, and I’m hearing, ‘We’ll look into that.’ Another time is here. We’ve got constituents mad as hornets, and they’re stinging us pretty bad,” said Senate Finance Committee Chairman Hugh Leatherman, R-Florence.
Etter left immediately after the meeting. Exactly which business data was compromised is still being determined, agency spokeswoman Samantha Cheek said via email.
The state is offering residents free credit monitoring for a year through Experian. Gov. Nikki Haley negotiated a contract with the company capped at $12 million – which Etter called a bargain considering the company’s normal rate for the service. All taxpayers have until Jan. 31 to sign up. As of Tuesday, 310,000 residents had signed up through either a toll-free number or an Internet site, Etter said.
Cheek said businesses organized as a sole proprietorship, partnership or single-member LLC may also benefit from the fraud alert service, because it’s linked to an individual’s credit report. Corporations would not.
Senators wanted the state to be proactive and sign people up automatically. But Etter said people must sign up themselves due to privacy concerns and because Experian will ask private information that only the taxpayer should know. The state plans to notify taxpayers who live or have moved out of state. That includes military service members who may be overseas. The agency is working with the Department of Defense, he said.
Senators said his answers weren’t good enough.
“So many people can’t access it or won’t access it. We put an obligation on people based on a failure of our responsibilities,” said Sen. Phil Leventis, D-Sumter. “Privacy issues, my foot! You’re going to allow people to be victimized.”
Haley has said no one at the agency is to blame. But senators wanted to know if someone would be fired.
“This is not a normal intrusion into our system. It is completely outside what would happen within the organization,” Etter said.
Pressed further, he said the hacker had to have certain credentials to get into the agency’s computer system, though how the hacker obtained them is unknown. Etter said 250 employees – or more than one-third of the agency’s staff – have those codes.
The agency’s former head of information management resigned, effective Sept. 21. An interim senior administrator of information resource management has been named, Cheek said. She declined to answer further questions, calling it a personnel matter.
Etter said the hacker removed the data Sept. 13, and there’s been no intrusion since.
The Secret Service contacted state law enforcement officials on Oct. 10. Recommendations from a cyber-security firm, contracted within 48 hours, allowed the agency to “close the breach” Oct. 20.
Etter said law enforcement dictated the timing of the announcement last Friday afternoon. He said the S.C. State Law Enforcement Division and Secret Service made clear that doing so earlier meant the state would lose its chance of identifying the hacker and recovering the data.