COLUMBIA — With one click, hackers likely were able to have their way with an S.C. Department of Revenue database that contained millions of tax records, according to a company that investigated the breach.
In a report released Tuesday, cyber security firm Mandiant said it thinks that on Aug. 13, a malicious email was sent to multiple Revenue Department employees.
At least one of the employees clicked the link in the email, unknowingly executing malicious software and compromising the database, according to the company.
Mandiant wrote in its report that it was unable to conclusively determine if this is how Revenue Department employee credentials used to enter the agency’s systems were obtained.
But the company said it based the theory on other facts discovered during the investigation.
The release of the report on Tuesday came as Gov. Nikki Haley announced the resignation of Revenue Department Director James Etter, and that only electronically-filed tax returns were compromised in the attack. Paper returns were not affected, she said. Haley said the state will be sending notification letters to those affected. People who have already signed up for credit monitoring with Experian will be notified by email.
The governor said the breach affected 3.8 million individual taxpayers, 1.9 million dependants, 699,900 businesses, 3.3 million bank accounts and 5,000 credit card accounts, all of which are now expired.
For weeks, officials had said 657,000 businesses were affected by the cyberattack. Haley explained the discrepancy Tuesday by saying the state was only 95 percent certain when it announced the earlier number.
Of Etter’s resignation, Haley said she still has confidence in his abilities, but “I think Jim and I both agree that we need a new set of eyes on the Department of Revenue.”
Etter will stay on the job until Dec. 31. He’ll be succeeded by Bill Blume, who’s currently serving as executive director of the new S.C. Public Employee Benefit Authority.
Haley struck a different tone Tuesday when describing Mandiant’s findings and how the hackers attacked the Revenue Department. She said the state “absolutely” could have done more to prevent the breach. Previously, Haley has repeatedly said nothing could have been done to stop the attack.
The two central faults the attack revealed, Haley said, were that the Revenue Department didn’t have dual verification to get into its system and Social Security numbers were unencrypted.
She said the lack of encryption was compliant with Internal Revenue Service requirements.
“Having said that, should we have done more? Yes, we should have done more than we did,” Haley said. An IRS official did not return a call seeking comment.
Haley said the state is in the process of encrypting all Social Security numbers on tax returns, and she released a letter she wrote to the IRS asking the agency to require all states to have stronger security measures for handling tax information.
“We have filers in South Carolina that file in other states, and they are not safe in other states as long as these numbers are not encrypted,” she said.
Officials in neighboring Georgia and North Carolina have told the Greenville News that those states’ revenue agencies encrypt all data.
Without knowing for certain how the attackers got into the Revenue Department database, Mandiant was still able to assess other aspects of the breach.
Among the company’s findings:
• The attacker compromised a total of 44 systems. One system had malicious “backdoor” software installed. Three systems had database backups or files stolen. The attacker accessed 39 of the 44 systems, performing activities involving passwords and reconnaissance.
• The hacker used at least 33 unique pieces of malicious software and utilities to perform the attack and data theft activities.
• The attacker used at least four valid Revenue user accounts during the attack.
Mandiant wrote that no hacker activity has been detected since the company recommended immediate changes to Revenue Department security procedures. Longer-term improvements are in the process of being put in place, according to the company. Haley last week detailed new cyber security steps the state is taking. On Tuesday, she said she will also offer additional proposals for introduction in the Legislature.
Reach Stephen Largen at 864-641-8172 and follow him on Twitter @stephenlargen.
Notice about comments: