SC

Nikki Haley’s Data Breach Claims Debunked

GOVERNOR REBUKED BY INDUSTRY EXPERTS S.C. Gov. Nikki Haley’s public statements in the wake of an unprecedented security breach at the South Carolina Department of Revenue (SCDOR) are being challenged by industry experts. “The governor’s comments reflect unawareness of data security practices and are not at all reassuring,” network security…

GOVERNOR REBUKED BY INDUSTRY EXPERTS

S.C. Gov. Nikki Haley’s public statements in the wake of an unprecedented security breach at the South Carolina Department of Revenue (SCDOR) are being challenged by industry experts.

“The governor’s comments reflect unawareness of data security practices and are not at all reassuring,” network security Avivah Litan told Computer World.

Litan was referring to Haley’s claim that South Carolina was following “industry standard” practices when it failed to encrypt Social Security data that was stolen earlier this year by hackers presumed to be affiliated with an Eastern European crime syndicate.  Beginning on August 27, more than 3.6 million Social Security numbers and nearly 400,000 credit and debit card numbers were stolen from the agency.  Additional data – including individual tax return records – may have also been stolen, although Haley’s administration isn’t sure of the extent of the damage.

“To tell you (that) now would be guessing,” Haley told reporters this week.

How reassuring …

The breach at SCDOR was not discovered until October 10 and the public was not notified that its data had been stolen until October 26 – inexcusable delays given the sensitivity of the data involved.

Earlier this week, Haley claimed that nothing could have been done to stop the hackers – but she later admitted that “holes” in the state’s cyber security system had been filled in the wake of the successful penetration.

So which is it, governor?

In addition to avoiding this fundamental question, Haley also has yet to answer a host of interrogatories submitted by Democratic lawmakers regarding the breach … including an estimated price tag for the identity theft protection it is now having to provide (not to mention all the extra SCDOR workers hired to handle the flood of phone calls pouring in from nervous Palmetto State residents).

***

Related posts

SC

North Charleston Councilman Accuses Cop Of Falsifying Police Report

Will Folks
SC

‘Carolina Crossroads’ Update: SCDOT Set To Unveil New Plan To The Public

Will Folks
SC

Federal Lawsuit Alleges Racial Discrimination in Horry County School

Callie Lyons

55 comments

Cid October 30, 2012 at 4:51 pm

I bet Litan is a Democrat

Who you gonna believe?

A damn Socialist or Governor Nikki and the Tea Party?

Reply
Slingle October 30, 2012 at 5:23 pm

The damn Socialist.

Reply
Master Po Chang October 30, 2012 at 10:05 pm

A National Socialist or a Fabain Socialist?

Reply
notagain October 31, 2012 at 7:07 am

I believe the damned Socialist. Far more credible.

Reply
Colascguy October 31, 2012 at 10:30 am

As a conservative IT professional of 20 years, I called bull the day the Governor posted this on her Facebook page. Cid I would suggest you go read the Computer world article as it was not just one IT professional that said she was full of crap. Also I have never noticed a political leaning in any of the Computer World Articles.

http://www.computerworld.com/s/article/9233074/S.C._governor_s_post_breach_data_encryption_claims_are_off_base_analysts_say?taxonomyId=82&pageNumber=2

Reply
Bill October 31, 2012 at 11:52 am

Socialist or Nazis, Democrat or GOP?
Not much difference to me.

Reply
Johnny October 31, 2012 at 5:06 pm

The ugly witch is on the news in all her glory. She seems so happy while talking about our misery of being hacked.

Reply
Silvio Dante October 30, 2012 at 5:07 pm

Always believe the other person when she is in the equation.

Reply
Smirks October 30, 2012 at 5:14 pm

The state has agreed to offer free credit monitoring services and up to $1 million in identity theft insurance coverage for victims of the breach. More than 287,000 people have already signed up for the service, Haley said.

3.6 million people have their social security numbers taken and not even 10% of them have signed up for this credit monitoring yet. This is on top of the fact that instead of outlining ways to make sure this doesn’t happen again, all we get are excuses about how we are some weakling state incapable of decent network security and that scraping by with security measures is A-OK because “other people do it too.”

Might as well make our state nickname “The Hack-Me State” now. Smiling faces in foreign places.

Reply
Slinky October 30, 2012 at 9:18 pm

Okay, smarty pants. I called the day the story broke. It took 137 calls before I got through – then I spent another 45 minutes on hold. I was only able to spend two-plus hours on the phone because I am retired. They should NOT have asked people to call unless they were properly staffed to receive the calls. So, don’t critique the few people who have signed up only four days after this whole thing broke unless you’ve tried it.

That being said, I am no fan of the Gov. Still trying to figure out how she got elected. This whole debacle is inexcusable.

Reply
Smirks October 30, 2012 at 10:47 pm

I didn’t sign up on day 1, but I did sign up already. Funny thing is, I never had to call the number. I did it online with a generic code, scdor123, at the website given on the media sites.

The fact that it took 16 days to tell us and they couldn’t structure within that period of time a more simple way of enabling people to sign up is pathetic. Gridlocked phone lines probably hurt the number of people who would actually obtain protection from this fuck up. 3.6 million people were affected by this. How could no one expect such an outcome from deluging Experian’s call center with tens of thousands of panicked, outraged citizens worried about their financial security? Even releasing on a Friday afternoon drastically ruins things as it is meant to stifle media backlash, and therefore stifles notification for the people.

Even if you find the rate of people signing up acceptable, it doesn’t change the fact that 9 out of 10 of those SSNs are not being monitored. Sure, blame it on people being lazy or uninformed if you want, too, but it still isn’t their fault someone got their SSN.

There are no redeeming qualities to the response thus far, it is just failure after failure.

Reply
Smirks October 30, 2012 at 10:55 pm

And, just a note, I’m not blaming the people for the lack of sign ups. The media gave out the phone number per the state’s instructions. If they had given out both phone and Internet instructions, things would have gone much smoother.

Reply
Polly O'Graph October 30, 2012 at 5:25 pm

I love it when she contradicts herself – it is so cute!

“I didn’t fill out the employment application. But the password was the year I graduated.”

“I barely knew Will Folks. But I talked to him on his cell phone for hours in the middle of the nights because I am so busy and have to work late.”

“There is nothing we could have done. But the holes are now plugged.”

“I fired Darla Moore because she never returned the calls I made to her after I selected her replacement.”

“I never used my influence for Wilber Smith. They hired me because of my contacts.”

“I have never be unfaithful to my spouse. You can’t prove it.”

“I made $125,000 in my last job. We only made $25,000.”

Go Nikki! Don’t ever let the truth ruin a good story.

Reply
shifty henry October 30, 2012 at 5:39 pm

……. or a good day

Reply
baked October 30, 2012 at 5:30 pm

again…if nothing could have been done, does this mean that 49 other states’ departments of revenue have had similar experiences? why just SC?

Reply
shifty henry October 30, 2012 at 5:43 pm

Obama must be grinning and drooling ,,, asking himself “she would be PERFECT as a high level advisor” – where, oh where, can I place her to do the most damage………

Reply
Thomas October 30, 2012 at 5:53 pm

VOTE THE INCUMBENTS OUT OF OFFICE NOV 6!

Any hacker will tell you that Microsoft is like swiss cheese. They only patch holes when they have to. The Director who let this hack go on this long undetected and a few below him or her should be fired.

BTW—-FEDERAL INDICTMENTS TOMORROW WITH ILLEGAL GAMBLERS!!!!!

Reply
Thomas October 30, 2012 at 6:00 pm

BTW—the story we are commenting on is the poorest excuse of a rant passed off as some sort of legitimate journalism I have ever seen- it ain’t ballin’, it’s whining

Reply
shifty henry October 30, 2012 at 6:01 pm

Anybody know where the phone operators came from?

.. SCDOR employees ?

.. inmates from Broad River Road ?

.. friends from the Temple – shipped here from India ?

.. will she count them to “reduce” the unemployment statistic ?

==================================================================

I’m not complaining – just making some observations. I required two calls, and the operators were knowledgeable and courteous. Good luck to them because some callers will be abusive to them.

Reply
patriot October 30, 2012 at 6:12 pm

3 questioms:
1. Did I read where the State Inspector General just did a study on cabinet agencies’ IT departments?
2. Does the SCDOR have an internal audit dept?
3. Who is the hottie on the right in the picture?

Reply
Leslie October 31, 2012 at 6:56 pm

To answer #3, that Hottie is my big sister. PS: she has
Nothing to do with the state government or the
Hacking, just an unfortunate use of a picture from
A random event….

Reply
Cid October 30, 2012 at 6:51 pm

We need an immediate tax cut to pay this 12 million

That it is gonna cost to pay Experian

AND

We should fire half the people at the Dept of Revenue and NOT replace them

Then Re Elec Governor Nikki

Keep a workhorse workin!

Reply
Town Crier October 30, 2012 at 7:30 pm

About the only thing she hasn’t blamed for this debacle is a YouTube video.

BTW, awesome letter to the editor from John Rainey in today’s State newspaper about Nimrata’s comments on the “hacker.” The man has a way with words.

Reply
south mauldin October 30, 2012 at 8:04 pm

Great letter by Rainey. I’m sure she will take the poor little me they’re out to get me approach.

Reply
Clair October 30, 2012 at 7:50 pm

the inspector general has no staff or budget. What could he have done other that write letters.

Ask for the letters and emails concerning his “audit” and lets see if they exist.

I dont believe they do

Reply
Todd October 30, 2012 at 8:07 pm

You better believe I will be voting straight D from now on. Even if Alvin Greene’s mongaloid brother is on the ballot. Fuck these republicons.

Reply
Just Call me Ava October 30, 2012 at 9:31 pm

Nikki caught lying about something again? I’m shocked! Shocked I tell you!

Reply
Carpe Jugulum October 30, 2012 at 9:32 pm

Nikki is so full of crap her eyes are brown. The explanations and statements that she and Keel have made regarding the “breech” are stupid to the point of being insulting. It is useless to repeat them. You know what I am talking about. However, the super lame “we didn’t say anything because we didn’t want to mess up the investigation” has got to be the most hackneyed words uttered by either one of these gutless poltroons.

For months there have been news stories warning of cyber-terrorism and the consequences of cyber warfare. SLED is responsible for coordinating counter-terrorism information and infrastructure protection with local and state agencies and with the federal government through the SLED Fusion Center. The federal and state government has funneled money through SLED specifically to enhance its ability to interrupt and/or prevent terrorist activity in this state. What has this got to do with the DOR attack? Well, just what makes these two master sleuths so damn sure that it was simply criminal? We don’t know who got the information, what information they got, or what they plan to do with it. This is exactly the thing that terrorism experts have been warning would happen. However, where were Keel and the SLED Fusion Center? They were out in the parking lot eating chicken while 3.6 million people got ripped off in what quite possibly will go down as one of the biggest heist in American history or the first significant cyber terrorism act of the 21st century. Either way, our Governor and Keel will go down as a couple of colossal failures.

The reasons given for delaying informing the state of South Carolina that it had been the biggest victim of a crime in American history had absolutely nothing to do with protecting an investigative process. It had everything to do with buying time to get their stories straight. Remember Keel’s benchmark BS. They are hoping that by having press conferences and babbling jargon and implying that they are in possession of sensitive investigative information that everybody will be placated. No one will notice what a couple of pathetic douche bags they are. Apparently no significant lessons were learned in the LMC debacle.

Heads should roll, but they won’t. Moving to Georgia is starting to look like a good idea.

Reply
why us? October 30, 2012 at 9:58 pm

Ok, so I spent an hour on Google, and NO OTHER STATE IN THE COUNTRY HAS REPORTED BEING HACKED IN THE LAST 3 YEARS.

SO…..

Why us? Why did some “International crime syndicate” chose SC over the rest of the country?

AND THE BIGGER ISSUE IS….

Why in the hell is the Governor not solely responsible for this. It happened on her watch. She will likely fire some no name pencil pusher and blame it on them eventually, but she absolutely must be held accountable.

Reply
AnotherFineMess October 30, 2012 at 10:21 pm

We can fire Nikki Haley if we vote her out of office, but the Director of DOR, and IT folks at DSIT should be held accountable for this. All the BS in the world, can make this
“no one’s” fault or responsibility. Mr. Etters would have been better served to have had IT staff with him today in front of the Senate Finance Committee instead of a lawyer. Both of them looked like idiots who were simply flying by the seat of their pants. It is shameful, but unless the legislature grows some balls this too will be paid for by the taxpayers and covered up by the politicians.

Reply
IT October 31, 2012 at 12:15 pm

Your google skills have led you to incorrect information.
http://www.privacyrights.org/data-breach/new
Uncheck everything except Government and Military and Hacking/Malware.
There are several State Government agencies with Breaches. I realize SC’s is one of the largest, but it isn’ the only breach that has happened.

567,769,137 RECORDS BREACHED
from 3,465 DATA BREACHES made public since 2005

Reply
Inletman October 30, 2012 at 10:09 pm

She is a little girl.

Reply
insider October 31, 2012 at 9:50 am

No, she is a big girl, pounder wise, just acts like a little girl.

Reply
insider October 31, 2012 at 9:51 am

No, she is a big girl, pounders wise. She just acts like a little girl.

Reply
cherokee October 30, 2012 at 10:21 pm

Experian in jan.2008 announced it would cut 200 jobs at its operational headquarters in nottingham,uk & move work to INDIA to reduce cost.

Reply
Hopeless October 31, 2012 at 2:14 am

Damn. The whole thing was just a ploy to create more jobs in India. Do you think the hacker lives in India? Maybe he’s a cousin of our glorious queen.

Reply
Sailor October 30, 2012 at 10:41 pm

So, what’s happened to Big T(urd)? Did someone break his fingers? Did he run out of insults? Maybe he had a premonition about next Tuesday and his head exploded!! Let’s hope.

Reply
Archie October 30, 2012 at 11:36 pm

Who is the woman with the thick neck in the picture? Did she have anything to do with this fiasco?

Reply
LMN October 31, 2012 at 1:08 am

They look healthy and disease-free. I’d shag ’em both.

Reply
Leslie October 31, 2012 at 6:59 pm

FYI, that woman with the “thick neck” is my big sister and she has nothing to do with the state government or the hacking. This was just an unauthorized use of a picture from an earlier event. And by the way, you should be ashamed of yourself for criticizing someone you don’t know, very classless!!!

Reply
meanjean October 31, 2012 at 8:50 pm

She DOES NOT have a “thick neck”. She’s cute! These people are just asshole trolls!

Reply
Thomas October 31, 2012 at 1:40 am

Mike Garon
Senior Administrator and Chief Information Officer
Senior Administrator of Information Resource Management Division, CIO

as of: September 01 2012 PROGRAM MANAGER III $ 108,467.00

Mike Garon serves as the Senior Administrator of the Information Resource Division and DOR’s Chief Information Officer. IRM coordinates information technology direction and researches, designs, and implements all application systems that support the Department’s computerized functions. The division continually researches and analyzes functions in order to improve the quality of services for maximized operational efficiency. IRM also administers customer service and technical support of the South Carolina Business One Stop

Employment History
Senior Administrator of the Information Resource Division
South Carolina Department of Revenue
Past-President
SC.GMIS
Chief Information Officer
DOR
Senior Administrator and Chief Information Officer
State of South Carolina/Dep of Revenue
Vice President of Finance
PMI Midlands
Chief Information Officer
SECURA Insurance Companies
Board Memberships and Affiliations
Secretary-Treasurer
SC.GMIS
Board Member
SC.GMIS
Board Member
PMI Midlands

Mike Garon Senior …
http://www.sctax.org, 28 Sept 2012 [cached]
Mike Garon Senior Administrator of Information Resource Management Division,CIO (803) 898-5586 GaronM@sctax.org Mike Garon serves as the Senior Administrator of the Information Resource Division and DOR’s Chief Information Officer.
SC.GMIS Leadership
http://www.scgmis.org, 10 Feb 2009 [cached]
Mike Garon Senior Administrator & CIO SC Dept. of Revenue GaronM@sctax.org
Mike …
http://www.egovsc.com, 19 June 2002 [cached]
Mike Garon
SC.GMIS
301 Gervais Street, P.O. Box 125
Columbia, SC 29214
Mike is the SC.GMIS Secretary-Treasurer and can be reached at garonm@sctax.org or 803/898-5586.
PMI Portal – Board of Directors
http://www.pmi-midlands.org, 16 Dec 2006 [cached]
Vice President of Finance: Michael D. Garon, PMP
finance@pmi-midlands.org
803-898-5586 (o)
About Us – Testimonials – South Carolina Department of Revenue, Information Resource Management
http://www.glenridgegroup.com, 12 Oct 2011 [cached]
Mike Garon Chief Information Officer Information Resource Management South Carolina Department of Revenue

Reply
Thomas October 31, 2012 at 1:25 pm

This guy resigned in September. Why? Is he a person of interest? Disgruntled employee? He was in charge of breeches, no? What does he know and when did he know it?

Reply
Stimulus October 31, 2012 at 7:06 am

She is a stupid ugly bitch!

Reply
shifty henry October 31, 2012 at 7:47 am

I still think that a SCDOR employee contributed to this Charlie Foxtrot situation – probably took some info home to peek at (for some unknown reason) and screwed up royally (think Queen Nikki).

Reply
shifty henry October 31, 2012 at 7:50 am

This really screwed up Nikki’s vacation and fundraising plans – she can’t run and she can’t hide – well, “tough shit” to you, babe!

Reply
shifty henry October 31, 2012 at 8:27 am

Just read Rainey’s letter. He is on target for calling her out for her display of incompetence. Sorry, Nikki, but you have changed over the years from the sweet Clemson co-ed I knew to..what? I don’t have any good answer for that.

“Come back, Little Sheba, come back!”

Reply
Justus October 31, 2012 at 9:18 am

If I read correctly 250 people in the Department of Revenue have access to this information no wonder it was so easy!

Reply
insider October 31, 2012 at 9:57 am

Word on the street is that the hacking incident is fabricated, just like the the pageant disqualification. Just a way to get a kickback from the credit mon. agency. At 3.6 million people times $10 per person, that is 36 million per month. If she gets 10%, that is 3.6 million per month, for a year.

Reply
TheFunkyMonkey October 31, 2012 at 9:57 am

Two questions:

1. I signed up for ProtectMyID. If I call the toll-free number, will they confirm (or not) that my specific SSN has been breached?

2. Do we have legal recourse? If so, can anyone recommend an attorney to contact?

Thank you.

Reply
Thomas October 31, 2012 at 10:24 am

I thought the idea was that if my data was corrupt by this hacking, I would get free id coverage via the protectmyid.com/scdor. If not, then I was to pay for my own coverage via their denial of free coverage. I signed up last night on the web and have free coverage….shit! I can only assume that my data was corrupted and my Mexican or Russian counterpart, who ever has my SSN will get….NOTHING when they retire!

Bank accounts do have me worried.

Reply
TheFunkyMonkey October 31, 2012 at 11:00 am

Thanks Thomas. I called the toll-free # after signing up online and it’s a bit confusing to say the least. And then you can’t even get through so it’s no help currently…

I really hope that anyone who knows an attorney or who has contacted one can chime in about our legal options here. I’ve only lived in SC for 4 years so I’m not overly familiar with my options nor do I have access to a good attorney to consult with.

I would love nothing more than to fuck these assholes (no pun intended) through legal avenues who were stupid enough to not encrypt SSN numbers. If they didn’t do this basic task, imagine what other data is at risk.

I can’t believe the dumb cunt waited over two weeks to inform the public. And I still throw up in my mouth about the comment about “buying back the list”. She can’t be so dumb to think that the general population isn’t intelligent enough to see right through that nonsense. These fuckers that run this State are fucking idiots. I’m in the data business and I don’t think most understand the ramifications of this breach… If your SSN has been breached, you’re fucked as long as you breath oxygen on this planet — simple as that.

Reply
insider October 31, 2012 at 10:18 am

Interesting that the agency is outsourced to India? Of course, I think it is also interesting the the contact number for the Original Six Foundation is land line based in Bamberg.

Reply
Kevin November 2, 2012 at 3:46 pm

I’ve been following this story closely, and just shake my head at the rough shape South Carolina is in now because of lapses in cyber security. The free credit monitoring you’re receiving will do nothing to prevent identity fraud because it is a REACTIVE method that alerts you only AFTER the fact that something has been done to your financial accounts IF it catches it in the first place.

Prevention is sorely needed. The only prevention for identity fraud is ICONN from TASCET. Watch for it because it’s coming to South Carolina very soon to help you all out.

Reply
anonymous October 26, 2013 at 12:56 am

IDENTITY THEFT, SOUTH CAROLINA, EXPERIAN, NELSON MULLINS, AND $100,000.00

Law firm (Nelson Mullins) tries to clear up confusion about how Experian deal reached

November 27, 2012

COLUMBIA — Thad Westbrook of Nelson Mullins, a law firm representing the state in the aftermath of a massive cyber breach now says NO competitors were contacted before the state reached a $12 million no-bid contract with Experian.

Attorney Jon Neiditz of Columbia firm Nelson Mullins said the confusion over whether the firm had contacted other credit monitoring companies resulted from an unclear statement made by another attorney, Thad Westbrook.

The Revenue Department reached an initial agreement with Experian just before the breach affecting millions of current and former S.C. taxpayers was first announced publicly on Oct. 26.

The confusion over whether Thad Westbrook of Nelson Mullins ever reached out to Experian competitors began at an Oct. 30 Senate Finance Committee hearing from comments from Nelson Mullins attorney Thad Wetbrook.

Revenue Department Director James Etter, who is resigning effective at the end of this year, correctly told senators that no other companies were contacted besides Experian.

But Nelson Mullins attorney Thad Westbrook immediately followed up and told senators that pricing was obtained from two other firms but Experian had the ability to scale up quickly in an emergency situation.

Weeks after the hearing, Revenue Department spokeswoman Samantha Cheek named the other two companies that Nelson Mullins had obtained estimates from as Citreas and Identity Force.

Obtaining pricing information from Experian competitors and examination did not include reaching out to them.

Neiditz said he had pre-existing pricing information from various cyber security companies and knew Experian could offer the best deal. The leaders of other firms have disputed that assessment.

Neiditz said Monday that Thad Westbrook’s statement during the hearing caused confusion.

“It wasn’t clear,” Neiditz said. “It led to the impression that other companies had been contacted….I mentioned those vendors to him.”

Some senators have expressed concerns about the state’s NO-BID contract with Experian.

Anderson GOP Sen. Kevin Bryant said it’s worrisome that no other companies were approached following the breach.

“This snowball just keeps getting bigger and bigger as time goes by,” Bryant is co-chairman of a new oversight panel tasked with looking into the cyber attack.

Normally, state contracts are struck following a request for proposals from various companies.

The law states “competition as is practicable SHALL be obtained.”

Neiditz recommended Experian to his firm, which then recommended Experian to the state. Nelson Mullins and their attorneys are being paid an estimated $100,000 for its work assisting the state.

…EXPERIAN and two competitors as Thad Westbrook and Cheek said, but NEVER contacted any of them before deciding on Experian.

Neiditz said he first contacted Experian on Oct. 23, three days before the breach was announced.

Etter had told senators during the hearing that Experian was first contacted on Oct. 25.

The Secret Service alerted state officials to the breach on Oct. 10.

“As a result, I don’t think that those business models received full consideration. Neither did other companies.”

The CEOs of Citreas and Identity Force said that their pricing would have been competitive with Experian and their services would have been superior in some ways.

Vendors likely would have been beating down the state’s doors and possibly could have provided a better deal…

Nelson Mullins and their attorneys are being paid an estimated $100,000.00

http://www.postandcourier.com/article/20121127/PC16/121129491/

Reply

Leave a Comment