Foot-in-Mouth: SC Department of Revenue Disaster

By now you are all well aware of the utter disaster at the South Carolina Department of Revenue. As the days go on, the complete lack of competence  and compassion from the state continues to shock and appall this state's residents.

Sure, learning you are probably one of the MILLIONS of South Carolinians who had their social security numbers stolen is disconcerting enough, but finding out it took weeks to alert those affected, being offered a number for help that provides anything but assistance, and watching your Governor contradict the facts makes the entire situation even more infuriating. Every step along the way has been completely bungled by everyone involved.

The Time Line

The first breach of the Department of Revenue's servers occurred on August 27th of this year, but nothing was stolen. On October 10th, the SCDOR was made aware of a possible cyber attack not by their own resources, but by the federal government. Investigators confirmed the hack SIX days later when they discovered that the SCDOR system was accessed by the hackers multiple times in September. To make matters worse, they are still weeks away from knowing exactly what was stolen.

So, it took SIX days for the SCDOR to even confirm their system had been accessed and when they did, WEEKS had passed since the initial hack. Plus, they didn't even realize it had happened - they needed an outside agency to alert them. For a state-run system that houses extremely sensitive information, this is completely unacceptable. Our social security numbers should never be at risk of being stolen, but if the unthinkable happens, it needs to be discovered almost immediately.

The Announcement

October 26th. That's when the residents of South Carolina were told about the theft. That's TEN days after the SCDOR confirmed the hacking had occurred.  I understand some time is needed to execute a plan, put together a press conference, and work with a company, like Experian, to assist those affected, but TEN days? Unbelievable.

The Response

The SCDOR teamed with Mandiant, "one of the world’s top information security companies, to assist in the investigation, help secure the system, install new equipment and software and institute tighter controls on access."

Awesome. You were just about a month too late in upgrading the system. Maybe next time you could take some initiative and do something proactive like install improvements BEFORE your servers are hacked and over 3 million people have their social security numbers stolen. Just a thought. I guess trying to save some money by forgoing up-to-date security wasn't such a great idea was it?

As far as "protection" for those who had their information taken, the state was nice enough to initially offer a year's worth of credit protection through Exeprian. Wow thanks. You compromised our identities for life, but won't offer us protection for longer than a year? How thoughtful. Especially when you consider identity thieves "generally wait up to three years to use stolen information to avoid getting caught."

Granted, if your information is compromised, you get fraud resolution for life, but you only get the free monitoring for a year. If you choose not to foot the bill of extra coverage, and your information is used after this first year, it may be too late for that fraud resolution to prevent you from running into issues.

The "Solution"

As lackluster as the "protection" is, at least it's something, right? The state gave out a website (protectmyid.com/scdor) and a toll-free number (866-578-5422), which were supposed to provide assistance with credit monitoring and protection. These, not surprisingly, have come with their own flaws.

There are two problems with the website:

  1. Many people still are not comfortable using a computer at all, especially when it involves entering personal information - information which was just stolen from another online server. It's hard for some people to trust that option when it is the cause of their problems to begin with.
  2. If you do decide to use the website, you need an activation code to access the protection options. You may be wondering, "What is this code and where can you get it?" GREAT question, because no one seemed to know. It was THREE days after the initial announcement when I finally found the code (SCDOR123) at the end of an article from ABC News 4. In fact, the SCDOR didn't even post the code on their official Twitter account until October 29th. Why was this information not readily available from the start?

So, that leaves us with the toll-free number. As most of you know that number was incredibly useless for days and still sports at least a 10 minute wait. Most callers were greeted by this message: “We are currently experiencing higher than normal call wait time. Please call back at a later time or date. We apologize for any inconvenience.” All callers were then promptly hung up on.

In the ten days it took the state to announce the security breach, how did they not appropriately prepare Experian for the influx of calls? How could there not be a more solid plan in place? They were woefully unprepared to deal with the public.

Our Fearless Leader

Governor Nikki Haley has been anything but helpful and compassionate during this ordeal. She has been quick to blame other parties for the state's failings, has made ridiculous excuses and has been more than willing to pat herself on the back for doing the bare minimum.

Here are some of her "best" quotes:

  • “I think what we're looking at is the fact that none of us is completely protected from hackers. It's just the new world in which we live in" (Source).
  • “(The breach) wasn't an issue where anyone in state government could have done something to avoid it" (Source).
  • "Rob Godfrey (a Haley spokesman) said the state is in the process of going 'far beyond industry standards' and encrypting all Department of Revenue files. That process should be completed in the next 60 to 90 days" (Source).
  • Back to Haley herself: "The industry standard is that most social security numbers are not encrypted, a lot of banks don't encrypt, a lot of the agencies that you think might encrypt social security numbers actually don't. It's not something you think about, are we are talking about it now, yes." (Source).
  • "...our job is to respond, respond immediately and do everything we can to take care of the people of the state” (Source).

What an amazing leader we have in South Carolina, huh? Sure, the hack isn't her fault, but she's acting like it was. She's been on the defensive since the beginning and does not appear to have our interests at heart.

Instead of admitting the state, specifically the SCDOR, did not have the appropriate cyber security, she says the attack could not be prevented. If that was the case, how come other states weren't hacked also? Probably because they didn't skimp on up-to-date security like the SCDOR did. Don't forget, the SCDOR indirectly admitted they were behind the times by hiring an outside company to upgrade their systems after the attack. Plus, Governor Haley's own spokesperson said they are NOW going "far beyond industry standards to encrypt" SCDOR files. This, again, indirectly admits that more could have been done. In other words, Governor Haley, this IS something that could have been prevented.

I love how she claims they are "doing everything" to take care of everyone in the state. Is "taking care" of the residents giving us just one year of credit monitoring from a service that can't handle the task really "everything" you could have done, Governor? I'm sorry, but I'm not going to congratulate you for doing the absolute bare minimum for us.

However, it's the fourth quote that is my absolute favorite because it is the most telling. Governor Haley said, "It's not something you think about, are we are talking about it now, yes." For once you are completely right, Governor Haley. You absolutely did not think. You and the state were not proactive in protecting us, you were, and continue to be, completely reactive. That's a horrid way to run a state entity and we are all now paying for your agency's lack of foresight.

--

Photo credit