COLUMBIA — The Department of Revenue was more concerned with keeping employees from accessing news, sports and social media websites on their work computers than protecting taxpayer data like Social Security numbers, a former computer security chief at the agency said Thursday.
Scott Shealy told a S.C. House committee investigating hacked tax records at the Revenue Department that he spoke to his bosses for several years about how information should be encrypted and employees should be required to enter a code or scan a thumbprint to access the information.
Computer security experts said either step could have lessened the impact or stopped the hacker who accessed 4 million state tax returns and likely stole Social Security numbers, bank account information and other sensitive data.
Shealy said Mike Garon, the Department of Revenue’s former chief information officer, was a micromanager who didn’t listen to the advice of those under him.
“As a security officer, I was unable to adequately perform my job function because I did not have the support of my CIO,” said Shealy, who spoke publicly for the first time since leaving the agency to work elsewhere in state government a year before the hacking in September 2011.
Garon resigned in September, while the hacker was accessing the agency’s computer and a month before the security breach was revealed. The agency has refused to say why Garon quit, but said it was unrelated to the hacking. He has not spoken publically.
Phone numbers for Garon had been disconnected Thursday, and he has refused to return messages from The Associated Press before. The Revenue Department also refused to address Shealy’s specific allegations, instead releasing a statement that read: “As an agency we are focusing on what we can do in the future to safeguard taxpayer data to help prevent similar occurrences.”
Shealy testified for more than an hour, his voice and hands sometime shaking. He told the agency the hacking incident hurt him deeply.
“I was very discouraged, because I take it personally as being one that worked for many years with security within the organization,” Shealy said.
He left the Revenue Department to handle computer information for Chief Justice Jean Toal. The agency didn’t replace him for a year, and Shealy said former colleagues phoned him to ask for information like the password for the agency’s firewall, meant to keep out cyber intruders. He told them it should have been changed not long after he left, and he later found out that it was likely changed several times without employees being told.
Shealy said the agency also cut back on efforts to teach employees how to be careful with their computers and prevent cyber scams. An outside investigation found the hacker likely was first able to enter Revenue’s computer system by getting an employee to click on a malicious link and spent a month undetected, setting up other ways to get in the system before stealing the data.
It didn’t seem like a clever or hard-to-detect scheme, said Shealy, who added that the incident could have been even worse if the hacker managed to get into a different system where Revenue employees can access Department of Motor Vehicle information or databases of licensed employees to help in audits.
“There is more information within that organization than just tax information, or taxpayer information,” Shealy said. “It requires a high level of security and a high level of management and oversight. And that fell very short.”