COLUMBIA, S.C. (AP) — The state's tax collection agency operated without a computer security chief for nearly a year before a hacker stole millions of taxpayers' personal data — a breach that could have been prevented with a $25,000 purchase, according to testimony Wednesday before a Senate panel.
The hacker could not have accessed the tax returns of 3.8 million individual filers and 700,000 businesses if the Revenue Department had required more than one password to log into the system remotely, said Marshall Heilman with Mandiant, the computer security firm hired to investigate what happened.
Also, he said, if the data had been encrypted, the hacker could not have used the information.
"It's very easy to look back at an attack and pinpoint what went wrong," Heilman said. "Had those safeguards existed, the attacker would've gone on to something else."
Outgoing Revenue Director Jim Etter said the agency was in the process of spending $25,000 on devices that add another security step for logging into the system outside of work. They give users a second password that expires in 60 seconds.
"This could've been prevented by an inexpensive technology. I almost fell out of my chair," the panel's chairman, Sen. Kevin Bryant, said after the hearing.
The Anderson Republican said the lack of a cyber security chief is also partially to blame for the breach.
Etter, whose resignation was announced last week, told senators that the job of information security administrator was vacant from September 2011 through August. That's the month a hacker gained access to the agency's system.
The former chief information officer — who resigned in September for reasons Etter says are unrelated — could not find anyone willing to accept the job for a $100,000 salary, Etter said.
Senators called that an unacceptable answer.
"Why was someone not screaming from the rooftops, 'We need to fill this position,'" Bryant said. "How many banks go 11 months without a security guard?"
The person now in the role makes $75,000, according to a state salary database.
The chief information officer's position now sits vacant. Etter said the interim replacement, who took over the duties in September, doesn't have the qualifications for the job.
The hacking incident likely stems from a "phishing" email an employee opened in August, which asked for confirmation of a pending wire transfer. The employee then clicked on a link to a malicious Web site that allowed the hacker to exploit the agency's system, Heilman said.
While Mandiant can't prove that's how the hacker stole the username and password necessary to get into the system and gather administrative passwords that gave full access, that's the likely explanation, he said.
After days of activity in the system, the hacker compressed 75 gigabytes worth of gathered files — including unencrypted Social Security and bank account numbers — into 8 gigabytes before transferring it out in mid-September, Heilman said.
Etter, appointed to the job last year, said former administrators considered encrypting stored Social Security numbers, names, addresses and birthdates as part of a 2006 system upgrade, but an evaluation determined it would cost $5 million.
"The idea of going back and encrypting was thought cost-ineffective at the time," he said.
The cost of the state's response is above $14 million and climbing. That includes a $12 million contract with Experian for computer monitoring for taxpayers who sign up. Heilman said Mandiant's services will cost $700,000, which is $200,000 more than Revenue had estimated. Etter said he's uncertain how the state will pay for it.