Hacking report: State could have done more; DOR chief resigns

COLUMBIA, S.C. (WCIV) - Gov. Nikki Haley said Tuesday the state's final report on the Department of Revenue hacking incident showed definite numbers of state taxpayers who were compromised.

"The main question that I asked yesterday was did we have a chance to do a better job? And, we did," said Gov. Haley.{}"There were two vulnerabilities that we found. One was that we had, that there was no dual verification to get into the system. The second one was that the encryption of the social security data wasn't there."

The governor said they now know every person whose account was breached, adding that those people would be receiving a letter from the state and an email from Experian within the next seven days.

She also said Jim Etter, the SCDOR director, was stepping down. She planned to replace him with Bill Blume.

According to Haley, 3.8 million people who filed taxes were compromised. Another 1.9 million dependents connected to those 3.8 million were also put at risk. An additional 700,000 businesses were exposed along with 3.3 million bank accounts and 5,000 credit cards.

"Yes. we should have done more than we did," Gov. Haley said. "We should have done above and beyond what we did which is why we are going ahead and we are going to encrypt all of those social security numbers. That has already started."

The hack only affected people who filed their taxes electronically since 1998. Haley said it appears that most of the compromised accounts were from 2002 to present day, but added that anyone who filed taxes since 1998 should seek credit protection.

"I{}have also sent a letter to the IRS and told them that we have to change these regulations because we have filers in south Carolina that file in other states. And, they are not safe in other states as long as these numbers are not encrypted."

On Wednesday, the IRS issued a statement on Haley's comment about cyber security measures in place at the federal tax agency.

"Protecting taxpayer data is our top priority at the IRS. We have many different systems with a variety of safeguards -- including encryption -- to protect taxpayer data. The IRS has in a place a robust cyber security of technology, people and processes to monitor IRS systems and networks.

"We work closely with the states to ensure the protection of federal tax data. We have a long list of requirements for states to handle and protect federal tax information. Just as importantly, we expect the states to follow the standards of the National Institute of Standards and Technology.

"We just received the letter from Gov. Haley, and we will be reviewing it," said Michelle Eldridge, the IRS spokeswoman.

Haley said more than 800,000 calls have been placed to Experian, the credit monitoring service working with the state, and a total of 740,000 activations.

"We have to go into cyber plan mode," she said. "The IRS does not believe you need to encrypt social security numbers."

Haley went on to say that she and other state officials were working to improve the state's cyber security plan.

"Let's not settle for being adequate," she said.