Incompetence, apathy and “inappropriate” priorities characterized the South Carolina Department of Revenue’s approach to data security in the months leading to the nation’s largest-known breach of sensitive personal and financial information involving a state agency, according to a former agency insider who spoke publicly for the first time on Thursday.
Testifying before a stunned state House special committee investigating the massive cyber-hacking incident, former DOR IT security officer Scott Shealy described an agency operating for almost a year with no data security chief, no data security team and, allegedly, no data security clue.
Shealy’s testimony provided the public a first glimpse of conditions within the Department of Revenue in the months prior to the breach and painted a grim picture of penny-pinching bosses with a fundamental lack of understanding of precisely how at risk the agency was.
In August and September, hackers were able to gain access to DOR computers and steal tax data, including Social Security and bank account numbers, belonging to 3.8 million taxpayers, 1.9 million dependents and 700,000 businesses, state officials said earlier.
The state reportedly is spending some $20 million so far to offer free credit monitoring to hacking victims; mail notifications to victims; beef up data security at DOR; and hire computer-consulting, law and public-relations firms.
“My perception was that, quite frankly, the CIO (Chief Information Officer ) at the time (Mike Garon) did not consider (data security) to be a priority,” said Shealy, who worked for DOR from February 1997 to September 2011 before resigning as the IT security officer, a position he had held since 2006, to go to work for the state Judicial Department. “I think he (Garon) felt that what we had been doing for quite some time was adequate, and we did not take additional measures.
“There is a vast amount of personal taxpayer information, as well as massive amounts of other information that hasn’t been disclosed, that resides within that organization. It is very, very critical that that information stay well-protected and well-guarded. What I found working within the IT infrastructure within the organization, quite honestly, is that it did not get the attention that was required to adequately maintain security.”
Shealy also contended that Garon, who resigned three weeks before the breach scandal was disclosed, consistently declined state-provided, free data-security monitoring services that more than 50 state agencies and local governments take advantage of every day; and refused employee continuing-education opportunities that, at a cost of $2 per employee, would have included training specifically on the type of attack that South Carolina reportedly fell victim to.
Shealy said either of those alternatives could have prevented, or at least mitigated, the breach, calling Garon’s position on both issues “alarming.”
Garon has not testified about the breach.
What appeared to be most troubling to the committee and Shealy was the lack of a will to hire a new IT security chief for 10 months after his departure, a move he said was indicative of how unimportant data security was and how little agency leadership understood it. Shealy said not only did his position go unfilled, but it also went unadvertised for six months while the data security team that worked under him was effectively dismantled.
That revelation led Rep. Andy Patrick, R-Beaufort, to ask whether the security protocols that existed when Shealy was security chief existed at the time of the breach.
“Based on my personal knowledge of what transpired within the organization after my departure, I would have to say absolutely not,” Shealy said. “The IT security group that I was responsible for, upon my departure, was essentially disbanded and reassigned to other areas.
“I know there’s been some argument or concern that the lack of an IT security officer in the organization for a period of almost a year, roughly 10 months, had an impact in what occurred; and I would have to agree with that 100 percent.”
That statement led to the following exchange between Shealy and House minority leader Harry Ott, D-Calhoun:
Ott: “When you resigned in 2011, I would infer that in an effort to save money, rather than hire somebody to replace you, they allowed your position to unfilled for almost a year. During that year, because there was no security officer on staff, when they were notified of this (suspicious) email, I’m not sure they had a security person there to know how to respond.”
Shealy: “I would agree with that statement.”
Ott: “So, in an effort to save pennies, we’re going to spend millions of dollars to fix a problem that hiring one security officer who knew how to respond appropriately to an email could have stopped before we had a problem.”
Another issue Shealy tackled was the characterization of the sophistication of the hacker. Initially, Gov. Nikki Haley characterized the attack as sophisticated and said it couldn’t have been prevented, though she later acknowledged that she should have done more to protect taxpayers.
In recent weeks, experts have testified that simple dual-password systems and having better oversight – oversight that previously existed – could have helped, if not stopped, the breach; and that the level of the attack was below average.
“We heard testimony at our last meeting that the intellectual level of the hacker that stole our information was a four on a scale of one to 10,” Ott said. “That’s way down below 50 percent where I come from. So we wouldn’t have had to even be really smart to keep this from happening if we’d had had (Shealy) or somebody else in a security officer position to deal with it.”
Shealy agreed, taking Ott’s point even further.
“It’s my understanding that the majority of this process was initiated as a result of a malicious email, or a phishing attack, that an employee opened and disclosed some credentials that allowed the process to continue.
“I can assure you that phishing attacks occur daily within every agency in this state. It’s important not only to be monitoring the systems that can detect those kinds of attacks so that not only can you identify that computer or person who received a certain email, but anything else within the organization to detect the same breach. My personal feeling is that there was a lack of oversight in the day-to-day operations that potentially could have spotted that and stopped it sometime prior to what transpired afterward.”
As to who was ultimately responsible for the massive cyber-theft, Shealy said he had nothing but “kind words” for former DOR Director Jim Etter, who resigned last month. Rep. Ronnie Sabb, D-Williamsburg, asked Shealy point blank if the lack of security measures to curtail the breach could be laid at the feet of Garon.
“Absolutely,” Shealy replied. “Absolutely.”
“There are a lot of individuals within the Department of Revenue that take their jobs very seriously,” Shealy continued, “and personally I feel like senior management – the former CIO especially – had a great deal to do with it.
“I think it was ironic that his departure occurred about a month before this breach was disclosed. I think if he was to be brought forth, a lot of additional information could be obtained.”
The House special committee plans to meet again next Thursday.
Reach Aiken at (803) 200-8809 or firstname.lastname@example.org