Columbia, SC (WLTX) -- South Carolina Department of Revenue officals told a Senate Subcommittee Wednesday the massive hacking of state records could have been prevented, and that the agency went more than a year without a cyber security officer.
A Senate Subcommittee, tasked with investigating the security breach at the Department of Revenue, wanted answers about the breach that exposed 3.8 million South Carolinian's personal information.
According to state officials, the hacker gained access to the system through a phishing email. They then stole that employee's username and password.
Wednesday, a Senate subcommittee heard that a small, cheap piece of added security could have prevented putting millions of South Carolinians identities at risk.
The Director of the Security Company Mandiant, hired to investigate the breach at the SCDOR, says because the hacker logged in using an employee's credentials, the system didn't detect a threat.
"From a systems perspective, everything that happened looked normal," said Marshall Heilman.
Heilman tells the senate subcommittee an added layer of password protection, like a changing security key number you have to enter in manually, would have prevented the attack.
"But in this particular case, as the attack occured, if the Department had Multi-factored authentication on that remote access system the attacker would not have been able to log-in using user credentials," said Heilman.
Senator Kevin Bryant (R-Anderson) is stunned.
"The multi-factored authentication could have prevented this. It would not have cost anymore than twenty five thousand dollars," said Bryant.
Jim Etter, Director of the SC Department of Revenue, told the committee from September of 2011 to August of 2012 they were without a cyber security officer. The first malicious email was sent on August 13th.
"We were actively looking for someone at that point so we were not sitting on our heels not trying to find someone," said Etter.
Etter says the former chief information officer could not find anyone willing to accept the job for $100,000.
"I mean, how many banks go eleven months without a security guard?" Asked Sen. Bryant.
The committee asked SLED Director Mark Keel if he knows if stolen social security numbers have been used. He replied, "I don't know." As more questions rise, so does the frustration among state lawmakers.
"I've got a hundred and ten thousand constitutents and they are fuming and they should be. The government dropped the ball. This is a disaster," said Sen. Bryant.
In 2006, the State Revenue department did look at encrypting all data.
A study showed it would have cost five million dollars to acheive that level of encryption. However, Director Jim Etter says they never pursued or requested that money from the state.
The agency is now spending $25,000 on devices that add another security step for someone trying to log into the system remotely.
Follow News19's Nate Stewart reporter on Twitter: @WLTXNATESTEWART