The chief information officer's position now sits vacant. Etter said the interim replacement, who took over the duties in September, doesn't have the qualifications for the job.
The hacking incident likely stems from a "phishing" email an employee opened in August, which asked for confirmation of a pending wire transfer. The employee then clicked on a link to a malicious Web site that allowed the hacker to exploit the agency's system, Heilman said.
While Mandiant can't prove that's how the hacker stole the username and password necessary to get into the system and gather administrative passwords that gave full access, that's the likely explanation, he said.
After days of activity in the system, the hacker compressed 75 gigabytes worth of gathered files — including unencrypted Social Security and bank account numbers — into 8 gigabytes before transferring it out in mid-September, Heilman said.
Etter, appointed to the job last year, said former administrators considered encrypting stored Social Security numbers, names, addresses and birthdates as part of a 2006 system upgrade, but an evaluation determined it would cost $5 million.
"The idea of going back and encrypting was thought cost-ineffective at the time," he said.
The cost of the state's response is above $14 million and climbing. That includes a $12 million contract with Experian for computer monitoring for taxpayers who sign up. Heilman said Mandiant's services will cost $700,000, which is $200,000 more than Revenue had estimated. Etter said he's uncertain how the state will pay for it.