HUNDREDS OF MILLIONS OF DOLLARS LIKELY TO BE LOST
The failure of S.C. Gov. Nikki Haley’s Department of Revenue (SCDOR) to adequately protect tax information for hundreds of thousands of South Carolina businesses could wind up costing them hundreds of millions of dollars.
In fact if cyber thieves were to hit only one percent of the 650,000 businesses whose tax information was exposed during a recent security breach – the tab could be in the neighborhood of $340 million. This preliminary estimate was made by Chris Swecker, a former high-ranking official with the Federal Bureau of Investigation who appeared at a cyber security panel convened this week by S.C. State Treasurer Curtis Loftis.
Loftis’ office scheduled the panel prior to the breach becoming public knowledge – although its deliberations have obviously taken on a new sense of urgency.
The breach is also being investigated by a S.C. Senate subcommittee led by Sen. Kevin Bryant (R-Anderson).
Beginning on August 27, hackers began infiltrating SCDOR’s computer network – stealing the business tax information along with 3.8 million Social Security numbers and nearly 400,000 credit and debit card numbers. South Carolina officials never knew they had been hacked. In fact it wasn’t until October 10 that they were alerted to the breach by federal law enforcement authorities. It took another sixteen days for South Carolinians to learn that their data had been compromised.
Haley’s administration initially claimed that no business information had been stolen during the unprecedented breach. She also stated that “nothing could have been done” to prevent the hack – and that South Carolina had used “industry standard” security measures.
All of these claims have been proven false.
Not only that, Haley has yet to take responsibility for the hack. In fact her SCDOR director was one of several state agency heads to receive a 7 percent pay raise this week.
“It’s a great day in South Carolina,” right?
***
20 comments
Since everyone now says “I didn’t vote for Haley”, how did she get elected?
I voted for her. I’d have second thoughts about voting for her again but not because of this. Would this breech have happened under a Sheheen administration? In all likelihood yes.
I’m an IT guy, nothing about this is unusual at all. While Haley should take the blame for what happened after the breech, she didn’t design the system, she didn’t manage the system and the system predates her administration by more than five years (if my sources are correct). Google “state computer hacked” and you’ll discover a number of states systems have been successfully breeched in the last year, among them Utah, Ohio and Florida.
This is exactly what happens when security is performed by the lowest bidder.
Haley lied about the breech in her press conference and to vote for a well known habitual liar should be unconstitutional. At least Sheheen has integrity which defines him. Haley has repeated corruption which defines her.
Would this breech have happened under a Sheheen administration? In all likelihood yes.
I would actually agree with that, to a point.
Haley’s response to the Medicaid leak should have included stepping up security across the board, though. The Medicaid leak and the DoR intrusion are two different breaches, one from the inside out and one from the outside in, but they are leaks nonetheless and should have been caught very quickly (we’re talking about moving a shitload of information from inside a secure network to the outside world, alarms should be going off bigtime either way).
I can’t say if Sheheen would have responded any better than Haley, or if such a response could have actually prevented this attack, but I would be more likely to defend a governor who did take at least some steps to significantly improve security. The fact that this information was not ever encrypted, though, is proof positive that SCDoR has been fucking up for a very long time, definitely before Haley.
Haley’s response to this incident, though, has been absolutely dreadful.
The DoD Medical Examination network was breeched about a year ago. Forensic reconstruction points directly at the Chinese Gov’t. Most were Administrators were initially unconcerned about the breech until someone pointed out that all of the information needed to construct fake identities from SSNs to medical records was present on the server – and many of people whose records were stolen had or will have gov’t security clearances. Gov’ts response – “…we’ll close the barn door”. No help provided to any of those at risk at all, in fact, no notice was provided.
In March of this year hackers found a weakness in a server configuration and stole 780,000 records from Utah’s Medicaid servers (who knew Utah had so many poor people…). Utah set out a plan very similar to SC’s.
The Pentagon is attacked 24/7/365 with occasional successes even though they have an entire command (Cyber Command run by the Air Farce) dedicated to protecting network infrastructure.
Only through multi-layer encryption, high level password combined with physical media security and intentional active network protection/monitoring via honeypots, pseudoservers and all kinds of computer trickery can networks be mostly protected. Most agencies can’t afford this kind of protection, most users won’t put up with the additional step required by high level security and just as soon as we get it set up, someone will figure out how to breech it.
If you have information on a server linked to the internet or even attainable through a wired or wireless entry point – your information is at risk
Johnny is correct! She lied! She has proven to have a pathology for lying, just like O’Bama. Along with one pathology usually come others in almost every personality with pathologies.
Haley has proven herself as a self serving individual and is alleged as to have sexual perversions also. In my opinion these allegations are almost assuredly accurate also, they tend to be found together. Not just affairs of the heart and body; but, the inability to control ones sexual perversions (multiple partners, bisexual activity, etc.), inability to control aberration for the truth, the use of others in order to promote ones self self above all else (narcicissm)!
Haley exhibts all of the above and I’m sure others.
She is having a press conference today in which she will accept responsibility but will still blame it on her period.
I can’t even stand the sight of hippo teeth needless to say listen to her tell more lies at ANOTHER press conference. She just loves getting in front of the camera regardless.
The cost to the taxpayer to cover credit monitoring and other responses is bad enough, but the worst part is when people start becoming victims and having to deal with their identity being stolen. Because of this fuck up of epic proportions, that could easily happen to any of us and through no fault of our own. Even if you are protected with some kind of money guarantee, it takes up a lot of time and resources to fight shit like that.
If I got a 7 percent raise for working for a company that loses millions of dollars…….oh yeah that was Enron.
Stupid me.
I thought the biggest turds only rose to the top in septic tanks.
Drowning in your self-created cesspool must be a horrible fate. The little girl, only not so little anymore, brought it on herself.
I noticed the “little girl” is becoming a bit rotund!
The political appointee and the life-long bureaucrat at DOR are in a small lifeboat that is leaking air fast!! Maybe they can suggest adding a penny to the Sales Tax to pay for this mess. That seems to be the remedy for everything else!
hows that “smaller cheaper government” theory working out for you?
Good one there hum-dinger.
Just a few items of importance here, OUR federal government and all its resource CANNOT stop hackers from across the world. Absolutely no ONE could have prevented this breach, although she should take responsibility and move to CLOSE some of the IT holes immediately.
I am more interested in JOBS and the Economy and Nikki’s effort in those areas.
Cannot stop hackers?
Shoot, SC appears to have put up signs and advertized that we was ez pickins.
Using your logic, why try to secure data at all? We can all run around as one endemic mass that each of us has no single identity.
Is that what you want?
As long as a human is involved (specifically a politican), there is no two way key, and/or the data is connected to ‘the world’ – then ya, with enough determination someone can get in.
BUT – and please understand technology – intrusion techniques such as BRUTE FORCE *can* be detected.
This government is EPIC FAIL when it comes to technology.
go visit http://www.scdhec.gov – its been down since at least early this morning; most qualified webmasters will at least put up a “down for maintainence page” or “we are experiencing technical difficulties”
Nope – this is South Carolina – we do things different, darn it!
Who needs qualifications??!? You did, after all, elect Nikki….
Brushjumper, Unfortunately Nikki’s futile efforts to cover up the hacking and DOR’s lax security are better than her efforts to bring jobs and strengthen the economy in SC. The price tag on the hacking alone will ruin the economy of this state … unless you have over $340 million laying around.
But it is your right not to be interested.
NELSON MULLINS, IDENTITY THEFT, SOUTH CAROLINA, AND $100,000.00
Law firm (Nelson Mullins) tries to clear up confusion about how Experian deal reached
November 27, 2012
COLUMBIA — Thad Westbrook of Nelson Mullins, a law firm representing the state in the aftermath of a massive cyber breach now says NO competitors were contacted before the state reached a $12 million no-bid contract with Experian.
Attorney Jon Neiditz of Columbia firm Nelson Mullins said the confusion over whether the firm had contacted other credit monitoring companies resulted from an unclear statement made by another attorney, Thad Westbrook.
The Revenue Department reached an initial agreement with Experian just before the breach affecting millions of current and former S.C. taxpayers was first announced publicly on Oct. 26.
The confusion over whether Thad Westbrook of Nelson Mullins ever reached out to Experian competitors began at an Oct. 30 Senate Finance Committee hearing from comments from Nelson Mullins attorney Thad Wetbrook.
Revenue Department Director James Etter, who is resigning effective at the end of this year, correctly told senators that no other companies were contacted besides Experian.
But Nelson Mullins attorney Thad Westbrook immediately followed up and told senators that pricing was obtained from two other firms but Experian had the ability to scale up quickly in an emergency situation.
Weeks after the hearing, Revenue Department spokeswoman Samantha Cheek named the other two companies that Nelson Mullins had obtained estimates from as Citreas and Identity Force.
Obtaining pricing information from Experian competitors and examination did not include reaching out to them.
Neiditz said he had pre-existing pricing information from various cyber security companies and knew Experian could offer the best deal. The leaders of other firms have disputed that assessment.
Neiditz said Monday that Thad Westbrook’s statement during the hearing caused confusion.
“It wasn’t clear,” Neiditz said. “It led to the impression that other companies had been contacted….I mentioned those vendors to him.”
Some senators have expressed concerns about the state’s NO-BID contract with Experian.
Anderson GOP Sen. Kevin Bryant said it’s worrisome that no other companies were approached following the breach.
“This snowball just keeps getting bigger and bigger as time goes by,” Bryant is co-chairman of a new oversight panel tasked with looking into the cyber attack.
Normally, state contracts are struck following a request for proposals from various companies.
The law states “competition as is practicable SHALL be obtained.”
Neiditz recommended Experian to his firm, which then recommended Experian to the state. Nelson Mullins and their attorneys are being paid an estimated $100,000 for its work assisting the state.
…EXPERIAN and two competitors as Thad Westbrook and Cheek said, but NEVER contacted any of them before deciding on Experian.
Neiditz said he first contacted Experian on Oct. 23, three days before the breach was announced.
Etter had told senators during the hearing that Experian was first contacted on Oct. 25.
The Secret Service alerted state officials to the breach on Oct. 10.
“As a result, I don’t think that those business models received full consideration. Neither did other companies.”
The CEOs of Citreas and Identity Force said that their pricing would have been competitive with Experian and their services would have been superior in some ways.
Vendors likely would have been beating down the state’s doors and possibly could have provided a better deal…
Nelson Mullins and their attorneys are being paid an estimated $100,000.00
http://www.postandcourier.com/article/20121127/PC16/121129491/