Tim Smith, The Greenville News
COLUMBIA - The warnings were there.
But even as a hacker was cracking into the state Department of Revenue database, the top expert for the state hired to assess computer security at 16 agencies was sounding notes of confidence.
And the former FBI agent directed by Gov. Nikki Haley to review the system after a series of breaches at agencies said with some resignation that if a hacker wanted to get into a system bad enough, then no system is safe.
Haley ordered a review of state computer security and asked for summaries of the actions taken since April. Still, as of this week, the Department of Revenue had not turned in any information, said a spokesman for the governor.
In February, the director of the state Department of Motor Vehicles told lawmakers that foreign hackers were attacking his agency's computer systems on a daily basis, trying to get into databases that contained a treasure trove of driver personal information.
In April, a state Medicaid employee was charged with six counts of violating confidentiality and Medicaid laws after authorities accused him of transferring records on nearly 230,000 Medicaid patients to his email account and then sending a copy to another person.
And in August, the University of South Carolina's College of Education disclosed that records of 34,000 students, faculty and researchers had been exposed during a security breach by an overseas hacker.
But even after that, officials believed the state's computers, at least those operated by Gov. Nikki Haley's 16 cabinet agencies, were safely protecting data with personal information.
In fact, records show, by the time Department of Revenue computers were successfully hacked, state Inspector General Patrick Maley had already delivered a letter to Haley informing her that his review of nine cabinet agencies, including the Department of Revenue, had found them to be in "substantial compliance with sound computer security practices."
Haley in April had threatened to fire any supervisor of any of her cabinet agencies if another database security breach occurred and asked Maley to check the security at each of her agencies' computer systems.
"State government is entrusted with vital personal information from South Carolinians, it's our job to secure that personal information, and that's why the governor asked Inspector General Patrick Maley to review information security at cabinet agencies and make recommendations for how to strengthen it," Haley spokesman Rob Godfrey told GreenvilleOnline.com.
"Many cabinet agencies have already strengthened their information security, and we're not going to stop until we have the strongest information-security practices in the country."
Lindsey Kremlick, spokeswoman for the state Budget and Control Board, which houses the state's information technology office, said there is no centralized computer system for state agencies in South Carolina, making it impossible to know exactly how many security breaches have occurred.
"Agencies independently manage their own information technology including data, applications, security and infrastructure," she said. "Agencies are not required to utilize the Budget and Control Board's Division of State Information Technology's (DSIT) IT services. For these reasons, we cannot accurately provide an inventory of all statewide computer systems, spending information related to computer security, or statistics related to security breaches for the state."
She said computer attacks are a continuing threat for any organization operating computer systems.
"These threats exist for individuals, all levels of government and private industry that operate computer systems," she said. "However, most attempts are blocked through hardware and software measures, user behavior and system monitoring."
'No risk-less system'
Maley, a former FBI agent, told GreenvilleOnline.com that a system's security has to be viewed in terms of the risk the operators are willing to assume.
"I feel like they have a fundamentally sound information security system based on the risk," he said of the cabinet agencies.
"It's been my experience that your information security system is only a function of how bad somebody wants to look at it. I can assure you, if somebody wants to get into your system, they can get into your system. The question is how much time, energy and commitment they have and how hard are you going to make it for them to minimize that risk. There is no risk-less system."
State Law Enforcement Division Chief Mark Keel said South Carolina is not unique in attempts by hackers to breach computer security at state agencies.
"It's nationwide," he said. "Systems are constantly being hit trying to find a way into them, whether it's just to plant a virus or whatever. That's just a constant thing that we see."
Marcos Vieyra, chief information security officer for the University of South Carolina, said attacks by hackers on his system are "extremely common." He said hackers are drawn to college computer systems for their open networks, fast Internet access and proprietary research data.
Preventing breaches, he said, "is a constant struggle."
Maley said he discounted four agencies from his review because they did not have any personal information stored on anyone other than employees.
He also did not review security around the Department of Health and Human Services because consultants were already examining what happened in the database theft and would make recommendations.
For the others, he said his office examined each agency based on nine system security standards used by a state information technology committee made up of chief information officers from various agencies and universities.
What he and investigator George Davis found, he said, was a bell curve of results - two or three well above the others, four or five in the middle and two agencies with more substantive findings.
He would not disclose the identities of the agencies or the exact details but said he will eventually release his reports.
He said the Department of Revenue is among the nine reviewed but would not discuss his findings yet, saying he wants permission from law enforcement first.
The most common problems he found, he said, were that agencies did not have a response plan in case of a security breach, lacked adequate security for the paper records that contain confidential information and did not regularly search for personal information that might be stored in multiple computer files.
Maley characterized the findings as problems with the "icing" of computer security rather than with the "cake."
Davis said the response plan is important because it's more a matter of when than if an agency will be hacked.
"There is so much effort now to steal this data and get this data," Davis said. "You just can't protect it 100 percent of the time. And you can't protect it from every effort."
Maley said each agency was asked whether it had experienced computer security breaches or loss of information.
Davis said officials reported such instances were "rare."
"Other than one or two records getting compromised here and there, none of them reported anything over the past five or 10 years," he said.
Maley said agencies "were fixing things that needed to be fixed."
Some of the nine agencies reported reporting back to the governor on actions they had taken said they had done many things to tighten security, while others mentioned more of what they already had in place.
The Department of Health and Human Services, for instance, has instituted new data access and security policies, including policies to restrict access to data to employees with duties that require such access.
Updated tools now allow officials to identify personal information contained in emails.
And a new policy on outside employment "is designed to deter employees from improperly benefiting from their position and/or the data they may have access to," according to the agency's summary obtained by GreenvilleOnline.com.
At the Department of Employment and Workforce, remote access to computer systems is now secured using a "best-practices" authentication, controls have been implemented to revoke access to computer systems once an employee is terminated, security has been increased over stored paper documents and officials are scanning all computers used in the agency's SCWorks centers for any personal information.
At the Department of Labor, Licensing and Regulation, pending use policies will provide for more monitoring of Internet usage, officials are working on a mechanism for generating documents that limits and logs all user activity, and building security is being audited and restricted based on an as-needed basis for work outside normal hours.
And at the Department of Transportation, Social Security numbers have been eliminated from all reports and encryption has been added onto files with personal information.
Maley said one issue that he found is that while all the agencies have computer security policies and training programs on security, they are not uniform.
That's because the state has 100 agencies, boards, universities and colleges with computer systems, he said, with no one security policy or authority controlling each.
However, he said the information technology committee has developed uniform standards that may soon be recommended to all agencies and schools.
"There were no gaping holes of the security systems of these 16 agencies," he said. "But there were areas to improve."