SC Dept. of Revenue Director James Etter testifies to the Senate Finance Committee on Oct. 30, 2012.
Tim Smith, The Greenville News
COLUMBIA - South Carolina's identity theft nightmare has grown to include some businesses, and officials have disclosed for the first time that the hacker was able to crack the system by somehow obtaining the credentials of a Department of Revenue employee.
Jim Etter, director of the Revenue Department, disclosed after repeated questioning from senators Monday about the possible impact of the breach on small businesses that an unspecified number of state identity numbers used for corporations had been "compromised" at the same time as 3.6 million Social Security numbers and 387,000 mostly encrypted credit or debit card numbers.
Etter also disclosed Tuesday that the hacker was able to breach the Revenue Department's system by somehow obtaining employee credentials. He said about 250 employees have special credentials that allow them access to the system. He declined to say whether the state knew whose credentials were used.
In other developments related to the breach:
- Gov. Nikki Haley announced that the state had negotiated an agreement with Experian, which is providing identity theft protection and credit monitoring for taxpayers who have filed returns since 1998, to cap costs for taxpayers at $12 million. Credit monitoring under the service will last for one year but officials say fraud protection will remain for life. Taxpayers can go to www.protectmyid.com/scdor and use the activation code SCDOR123 to begin the process.
- Etter said that 5,000 of the credit or debit card numbers exposed in the hacking are expired cards that can't be used.
- As of noon Tuesday, 310,000 people had enrolled in the identity theft protection plan offered by Experian.
- The charges so far for Mandiant, a computer security firm hired by the Revenue Department to help find any holes in its system and repair them, are $125,000, officials said.
The disclosures by Etter came five days after Haley first publicly disclosed the breach, the largest in state government history.
The hacker's first intrusion was on Aug. 27 and three more followed before any data was compromised, officials said. The breach was discovered by the U.S. Secret Service, which notified state officials. Law enforcement officials asked Haley not to disclose the hacking until their investigation was developed further.
Haley said Tuesday the breach wasn't a routine hacking job.
"This was a sophisticated hacker who creatively looked at the system," she said. "This was no simple breach."
Haley also said there was no "hole" in Revenue Department's system, a statement her spokesman later explained meant there was no error by agency personnel or the system that enabled the breach to occur.
Etter said the only way the hacker could obtain access to the files was by using credentials assigned to an employee there. Senate Finance Committee Chairman Hugh Leatherman stopped further questioning of Etter, saying he didn't want to impair the criminal investigation.
Officials haven't disclosed exactly how the hacker breached the system, which had been reviewed by Haley's inspector general.
Several senators, including Senate Majority Leader Harvey Peeler, asked Etter about the impact of the hacking on businesses. A spokesman for Haley said Monday officials then were unaware of any business information that was compromised.
Etter first told senators that authorities wouldn't know whether business information was on the files breached until after a thorough examination of the files, in about two to four weeks.
"That's not acceptable," Peeler said. "I can't go back to small businesses and say, 'Trust me,'" he said.
Peeler gave Etter until the end of the meeting to determine an answer.
Near the end of the meeting, Etter said he had learned that some state identity numbers used for corporations were in the files that were breached.
Etter said officials will re-number each corporation in their system to help prevent any problems. He said his agency also would look at offering an identity theft protection service for businesses the same way such a service has been offered to individuals in the state.
"I can't tell you how many were compromised," Etter told members of the Senate Finance Committee on Tuesday.
Etter said the numbers aren't the same numbers used by the federal government to identify corporations.
But he gave few other details or promises on how the state would address the issue, and senators ended the meeting grumbling about not getting all the information they wanted.
Peeler explained that senators were transferring their constituents' frustration to Etter but still hoped to hear more.
"Questions are leading answers two to one," he said.
Leatherman was among several senators who said they were dissatisfied.
"I'm getting more frustrated by the moment," he said.
Several senators pressed Etter to develop a different approach for identity theft protection so the state could do the work instead of placing the burden on the taxpayer.
But Etter and Thad Westbrook, an attorney with the law firm of Nelson Mullins hired to assist the agency, said Experian requires each person covered to answer personal information questions to verify their identity, something the agency couldn't readily do. They also said having the Revenue Department to approach Experian raised privacy law concerns.
"Bullfeathers," responded Sen. Phil Leventis of Sumter. "There is no privacy issue. We ought to be the ones holding the bag."
Sen. John Matthews of Orangeburg said the system set up by the Revenue Department doesn't help the elderly, disabled or the many who aren't sophisticated enough to navigate the Experian website or the system, even with assistance by phone.
"I think you are treating taxpayers unfairly," he said. "You are leaving them out in the cold."
Officials said military personnel are being contacted by the U.S. Department of Defense so the Revenue Department can arrange to notify them about the breach and identity theft protection service. Westbrook said out-of-state residents who at one time filed South Carolina returns also will be notified by the agency at some point.
Several senators also wanted to know why the Revenue Department hadn't encrypted Social Security numbers and other information before the hacking.
Etter said the agency's system was designed years ago without encryption. Officials are in the process now of encrypting all information, a process that could take up to 90 days.
Etter said in a conference call Tuesday that officials with 15 of 19 states said they didn't encrypt their information.
Sen. Kevin Bryant of Anderson said he was surprised the agency didn't encrypt all of its files before now.
Sen. Larry Grooms, chairman of the Senate Transportation Committee, said he doesn't believe the agency has been looking out for taxpayers.
"I believe the agency was more interested in squeezing taxpayers than protecting taxpayers," he said.
Leventis asked Etter if anyone would lose their job over the hacking.
Etter repeated Haley's description of the hacking as unavoidable.
Haley earlier said she understood why people wanted to blame someone for what happened.
"This was no issue with someone in the agency," Haley said. "This was not a hole that was within DOR. This was a true, sophisticated breach."
Haley said wait times on the phone calls for Experian have dropped since Friday, also an interest of senators.
Haley blamed the clogged lines on members of the news media, who she said were calling to see if the process worked.