COLUMBIA -- As more South Carolinians learned that hackers hold their tax return data, Gov. Nikki Haley admitted Tuesday that the state did not do enough to protect their sensitive financial information and accepted the resignation of the agency director in the middle of the controversy.
"Could South Carolina have done a better job? Absolutely, or we would not be standing here," said Haley, who had insisted in the first days after revealing the cyber attack that nothing could have prevented the breach.
Hackers possess Social Security and other data belonging to 5.7 million people - 3.8 million taxpayers and their 1.9 million dependents, Haley said. The number of businesses affected has risen slightly to nearly 700,000. All of the stolen tax data dating back to 1998 was unencrypted.
The theft at the S.C. Department of Revenue is the largest known hacking at a state agency nationwide, according to the San Diego-based Privacy Rights Clearinghouse, which has been collecting breach data since 2005.
Hackers took tax information only of people who filed returns electronically, Haley said. Taxpayers whose information was stolen will receive notification soon by letter or email, she said.
Thieves also have bank account information belonging to 3.3 million S.C. taxpayers, Haley said. The S.C. Banking Association has asked banks to step up surveillance for fraudulent activity and share news of attempts to drain accounts, said Fred Green, the group's president.
Hackers duped a revenue department employee to click on a link in an Aug. 13 email, according to a report from Mandiant, a Washington computer forensics firm hired by the state to investigate the incident. The link appeared to trigger a program to steal the employee's username and password. The crooks uploaded files on Sept. 13 and 14 after accessing the system eight times and stealing passwords of three other employees during the previous month, Mandiant said. The hackers used a virtual backdoor on Oct. 17, a week after the Secret Service alerted the state about the breach.
After saying soon after the attack that no one in state government should be blamed, the governor accepted the resignation of revenue department director Jim Etter. He will leave at the end of the year.
"Jim and I both agreed that we probably needed a new set of eyes on the Department of Revenue - one that looked at data in terms of securing it," Haley said.
Etter, who had no comment Tuesday, will be replaced by Bill Blume, director of the S.C. Public Employee Benefit Authority.
Still, Haley said the breach was not Etter's fault.
During the conference, the governor identified two deficiencies that led to the breach: the lack of a dual verification requirement to prevent remote access to the system, and the failure to encrypt data.
Dual verification procedures, such as the use of a USB computer protection key, are commonplace in the private sector as a safeguard against unauthorized remote access, according to state Sen. Tom Davis, R-Beaufort.
"There must be more discussion about the lack of dual verification in order to remotely access the S.C. Department of Revenue system and about who has remote access authority," Davis said.
The governor, a frequent critic of federal policies, pointed to IRS rules that do not require encrypting taxpayer data in servers as part of the "cocktail for an attack." IRS rules require encryption while transmitting data.
Haley sent a letter to the IRS asking the federal agency and all states to encrypt taxpayer data in servers. She called the IRS's cyber-security standards outdated, a departure from when she said encrypting data was not an industry standard soon after revealing the breach on Oct. 26. The state is encrypting all data at the revenue department.
The IRS said in a statement Tuesday that it uses "a variety of safeguards - including encryption," though the agency did not say if data in its servers are encrypted. The IRS said it is reviewing Haley's letter.
Haley also blamed the breach on the revenue department not using a double-password to log in and a computer system from the 1970s.
Some lawmakers said problems lie within state policy. S.C. Rep. Dwight Loftis, R-Greenville, said allowing state agencies to run their own technology operations creates turf wars that increased the likelihood of a massive breach.
"We're just in the 19th century in technology in this state," said Loftis, who has introduced bills to put all state agency computer work under one umbrella.
Haley said she will ask lawmakers to develop an emergency cyber-attack plan like the one the state uses for hurricanes. The plan would include unannounced tests of computer systems at state agencies.
"The Legislature and I can no longer allow us to have archaic data, archaic equipment and archaic systems that don't protect the most sensitive of information for people of our state," Haley said.
More than 843,000 people have enrolled to receive a free year of credit-report monitoring from Experian that is costing the state $12 million, the governor said.
But the crooks can use Social Security numbers, usually sold on the black market for $10 to $20 each, for years, identity theft experts said. Even information belonging to children can be used to give employers a valid number for a job or open credit-card accounts. Parents will have to monitor their children's credit reports as well as their own.
"The Social Security number is the key to everything," said Nikki Junker of the San Diego-based Identity Theft Resource Center.
Staff writers at The Island Packet / The Beaufort Gazette contributed to this report.