SC Dept. of Revenue Director James Etter testifies to the Senate Finance Committee on Oct. 30, 2012.
Columbia, SC (WLTX) - Outgoing South Carolina Department of Revenue Director Jim Etter said Wednesday that his agency did not have a security expert in the 11 months leading up to the massive hacking that compromised millions of people's personal data.
Etter testified before the state senate panel looking into the security breech. Over 3.8 million Social Security numbers were compromised, and 3.3 million bank accounts' data was taken.
Etter announced earlier this month his resignation that will be effective on December 31st. Bill Blume will be acting director. Previous Coverage: Jim Etter Resigns
During his statement, Etter told senators that the SCDOR didn't have anyone qualified to evaluate security from September of 2011 to August of 2012.
In a timeline released as part of a report by security firm Mandiant, the hacking of the SCDOR's records began on August 13th, when a foreign hacker sent a phishing email to agency employees.
Etter said during the 11 months without a security expert, the agency's chief information officer was in charge; however, Etter said he's not sure if that person was qualified for that position.
Etter said the agency lacked the money to hire someone properly trained for the job.
Funding, he said, also cost the state an opportunity to encrypt their data six years before the breach took place. In 2006, Etter said SCDOR looked at encrypting all data, including Social Security numbers. A cost study, though, found that it would take $5 million to put that layer of protection in place, a price Etter said would have made it ineffective to do so.
He says his agency never requested or pursued the money.
Etter said his agency has training classes for new employees and security manuals with procedures for information technology security.
Since the hacking, Etter said Mandiant has given SCDOR 19 recommendations which the agency has put in place.