COLUMBIA — Under a deal negotiated with a credit monitoring agency, South Carolina citizens whose tax returns were hacked will be eligible for credit fraud resolution for life, officials said Tuesday.
Gov. Nikki Haley also said during a news conference that the state has negotiated with credit monitoring agency Experian to limit South Carolina’s costs for a year’s worth of credit monitoring to $12 million.
Officials announced last week that up to 3.6 million returns from as far back as 1998 may have been compromised by the international hacker, who likely penetrated the Department of Revenue’s system a month before the breach was detected by the U.S. Secret Service.
“This was a sophisticated hacker who came in and creatively got into the system,” Haley said. “This was no simple breach.”
The $12 million price tag is in addition to the $125,000 the state is paying a security firm to try to find ways to improve South Carolina’s systems. The Department of Revenue has also hired a law firm for advice, but agency officials didn’t specify how much that will cost the state.
So far, 287,000 people have signed up for monitoring, Haley said.
Repeatedly stressing that no one from the Revenue Department is to blame, Haley has also said that the database information wasn’t encrypted – and that the state had used the same standards as banks and other private institutions when it decided not to do so. But Haley’s office said that the state had now opted to begin encrypting all of the agency’s files – a process that should be completed in the next several months.
Increasing security for all of the state’s informational technology has also become a priority. On Friday, Haley signed an executive order directing all of her Cabinet agencies to
designate someone to cooperate with state Inspector General Patrick Maley on a new effort to improve the state’s cyber-security.
“State government’s fragmented approach to IT security makes South Carolina vulnerable to serious cyber and information breaches,” Haley wrote.
Later Monday, a state Senate committee was expected to question Revenue director Jim Etter on the breach.
The new review of state agency information technology security comes about six months after a similar review that followed another hack. In April, a project manager for the Department of Health and Human Services was accused of stealing hundreds of thousands of Medicaid patients’ information. After that discovery, Haley ordered a review the security systems of all state agencies.
During an April Cabinet meeting in which agency directors gave a rundown of their security procedures, Haley told them to make it clear to supervisors that future incidents wouldn’t be tolerated.
“If a supervisor has this happen under their watch, they will get fired, because this is not just about one employee. They are responsible, too,” she said. “We all appreciate our employees, but we also need to remind them they are responsible, and if something happens under their watch, they will pay the price.”
Christopher Lykes Jr., is still awaiting trial on five misdemeanor counts of violating the confidentiality of medical indigents and one count of disclosing confidential information. Authorities said he compiled more than 228,000 Medicaid patients’ personal information on a spreadsheet and sent it to his private email.