COLUMBIA — Six years after one of the nation’s worst data breaches, South Carolina efforts to protect computer records from hackers remain a work in progress, but that did not prevent the end of free credit report monitoring for millions of taxpayers whose information was stolen.
The hacking of personal financial records from the Department of Revenue prompted South Carolina to adopt industry standards about centralizing security rules for the state’s more than 100 agencies, but state authorities are just now coming up with a system on checking whether those agencies actually have those protections in place.
One cybersecurity analyst said the lag in establishing protocols is not surprising.
“This is typical for state and local governments because the don’t have the resources,” said Avivah Litan, a senior analyst with Connecticut-based Gartner Research. “They shouldn’t be doing this anyway. We need a federal cybersecurity strategy.”
Ten data breaches impacting nearly 29,000 people have been reported at South Carolina government agencies since the revenue department hacking, according to the S.C. Department of Consumer Affairs, which tracks security breaches. Asked which state agencies have been hacked, a consumer affairs spokeswoman said that information would be released only with a public-records request.
No arrests have been made in the 2012 theft of tax records belonging to more than 6 million people and businesses that started when an employee opened an email containing a malicious computer program.
The revenue department breach remains under investigation, the State Law Enforcement Division said, making it off-limits to getting more information, including if anyone’s stolen information has been used by identity thieves.
The state offered to protect victims from identity theft with free credit monitoring, paying $18 million over the past six years to two companies, the Revenue Department said. About 1.5 million taxpayers enrolled the first year with about 200,000 people a year renewing the monitoring until the program ended in October, the tax agency said.
The department told state lawmakers during budget hearings earlier this year the monitoring contract would end in October and did not discuss extending the contract or finding a new vendor, agency spokeswoman Bonnie Swingle said.
Gov. Henry McMaster’s office said it is satisfied the tax agency determined that free monitoring “accomplished its intended purpose.”
“South Carolinians should take the necessary steps and exercise proper caution to protect themselves from any sort of fraud or identity theft,” McMaster spokesman Brian Symmes said.
Credit monitoring is limited, Litan noted, since it helps mainly after a thief opens a bogus account. A better way to stop identity thieves, Litan said, is consumers freezing their credit reports to prevent new accounts being created using their personal information.
The S.C. Department of Consumer Affairs lists online how to freeze credit reports at consumer.sc.gov/identity-theft-unit. South Carolina continues to address security flaws identified after the breach.
Meanwhile, South Carolina is addressing security issues with state agencies.
After the breach, all state employees now take computer privacy and security training each year and all agencies must submit security plans. The Department of Administration offers assistance and feedback on plans, reviews spending requests and hosts an annual cybersecurity summit.
South Carolina lacked centralized management over computer security at state agencies at the time of the hacking. Agencies were responsible for their own security measures.
“What scares me is what I don’t know,” one unnamed agency computer officer said in a report conducted by the S.C. Inspector General’s office in the wake of the hacking.
“Agencies were siloed before,” said Rick Makla, the state’s chief strategy officer who oversees information technology.
South Carolina adopted a model used in many states where computer security policies run through a central agency.
The S.C. Department of Administration houses centralized information technology operations, which hands out minimum protocols for state agencies to follow. Some agencies, such as those handling medical records, must follow federal security rules, as well.
But the Department of Administration is not checking independently whether state agencies are doing what they should to protect information.
Administration officials are working with an outside firm to complete the first audits some time before July, agency spokeswoman Kelly Coakley said.
Not all state agencies have to participate in the Department of Administration audits, including public colleges, K-12 schools and local governments, Makla said.
State law, however, does not have any punishment for agencies that fail to follow security procedures, Makla said.
“We help them get better,” he said. “We’ll work to get that issue addressed. … It’s part of the journey to getting things done.”
The Department of Administration works with contractors to offer agencies free or inexpensive tools, including for laptop encryption, an extra layer of authentication and vulnerability assessments.
But as criminals become more sophisticated, there’s only so much cybersecurity can do, Litan said.
“It’s a pathetic situation; the bad guys can still get through,” she said. “That does not mean you shouldn’t put a lock on the front door.”