WASHINGTON — South Carolina Gov. Nikki Haley on Wednesday for the first time accepted personal blame for a massive cyber-attack that stole the Social Security and bank account numbers of millions of South Carolinians, saying she should have done more to ensure the data’s security.
Haley briefed the state’s congressional delegation on the almost two-months-long hacking into South Carolina Department of Revenue computer servers by digital thieves, who pilfered the tax returns of 3.8 million state residents and 700,000 businesses going back to 1998, gaining access to the Social Security numbers and bank accounts of the taxpayers and 1.9 million of their dependents.
Haley faulted the Internal Revenue Service for failing to make clear that compliance with the giant tax agency’s rules doesn’t include encryption – a method of storing data that protects it from long-distance ID theft – but she acknowledged that as the state’s top executive officer, it was her responsibility to know that.
“I ultimately am saying that South Carolina is at fault for not doing this,” Haley said. “I should have asked the extra question. I should have said, ‘Does this include encryption?’ ”
Before updating the state’s federal lawmakers, Haley addressed a closed meeting of the Republican Governors Association, where she warned some governors and business leaders of hacking threats.
“What I’m going to do is go and educate all my governors and say, ‘Don’t settle for the IRS saying you’re compliant, because what they aren’t telling you is their rules are archaic,’ ” she said at a news conference. “They’re not saying that being compliant doesn’t include actually encrypting those numbers, and no governor knows that right now. And so we’re working hard to get that out there.”
In a recent letter to the IRS, Haley called its cyber-security standards outdated and asked the agency and all states to encrypt taxpayer data in servers. The IRS said in a statement last week that it used “a variety of safeguards – including encryption.”
The hacking began in late August after an unidentified South Carolina Department of Revenue employee clicked on a link in an email, which installed dangerous software – called “phishing malware” – on the employee’s computer.
The data thieves used the malware to obtain the employee’s login and password for accessing electronic tax returns, and then downloaded the returns over the next seven weeks, until a Secret Service probe stopped the operation.
U.S. Sen. Lindsey Graham, a South Carolina Republican, said the episode demonstrated that protecting the computers at federal agencies and private businesses was a national security imperative.
“One of the things that keeps me up at night – besides the Iranians getting a nuclear weapon – is a major cyber-attack against our national-security infrastructure: our power plants, our chemical plants, our aviation systems, our financial systems,” Graham said. “The threat is real. Terrorists are trying to hit us every day (as well as) China, Russia, hostile nations.”
Haley repeated assurances that all South Carolinians whose data was compromised will get letters from the state informing them of the security breach and outlining steps they can take to protect themselves from further harm. Social Security numbers, which sell from $10 to $20 apiece on the black market, can be used to obtain driver’s licenses and other key forms of identification.
The state is paying for consumers to get free one-year credit monitoring and up to $2 million in identity theft insurance, plus lifetime credit-fraud resolution. The protection, for which almost 850,000 people have signed up, is supplied by the Experian credit agency at a cost of $12.5 million to the state.
The South Carolina Bankers Association has asked banks to be on guard against large checking or savings account withdrawals, especially those that empty the accounts.
The South Carolina Department of Revenue is now encrypting digital data, and Haley has asked the state inspector general to recommend how to improve technology policies at state agencies.
Haley also updated the congressional delegation on her administration’s decision not to participate in setting up a health insurance exchange or in expanding Medicaid under President Barack Obama’s landmark health care law.
Sen. Jim DeMint, a South Carolina Republican, said resistance to the law by Haley and other governors – nearly all of them Republican – would help bring it down eventually.
“South Carolina is helping bring this back into an open debate, because if they don’t change the bill or repeal it, it’s going to fail just by the way it’s set up,” DeMint said.
Andrew Shain of The State contributed to this article from Columbia, S.C.