COLUMBIA, S.C. (AP) — The state's tax collection agency operated without a computer security chief for nearly a year before a hacker stole millions of taxpayers' personal data — a breach that could have been prevented with a $25,000 purchase, according to testimony Wednesday before a Senate panel.
The hacker could not have accessed the tax returns of 3.8 million individual filers and 700,000 businesses if the Revenue Department had required more than one password to log into the system remotely, said Marshall Heilman with Mandiant, the computer security firm hired to investigate what happened.
Also, he said, if the data had been encrypted, the hacker could not have used the information.
"It's very easy to look back at an attack and pinpoint what went wrong," Heilman said. "Had those safeguards existed, the attacker would've gone on to something else."
Outgoing Revenue Director Jim Etter said the agency was in the process of spending $25,000 on devices that add another security step for logging into the system outside of work. They give users a second password that expires in 60 seconds.
"This could've been prevented by an inexpensive technology. I almost fell out of my chair," the panel's chairman, Sen. Kevin Bryant, said after the hearing.
The Anderson Republican said the lack of a cyber security chief is also partially to blame for the breach.
Etter, whose resignation was announced last week, told senators that the job of information security administrator was vacant from September 2011 through August. That's the month a hacker gained access to the agency's system.
The former chief information officer — who resigned in September for reasons Etter says are unrelated — could not find anyone willing to accept the job for a $100,000 salary, Etter said.
Senators called that an unacceptable answer.
"Why was someone not screaming from the rooftops, 'We need to fill this position,'" Bryant said. "How many banks go 11 months without a security guard?"