The Department of Employment and Workforce is notifying more than 4,000 current and former employees that their personal information – including their dates of birth and Social Security numbers – was downloaded onto an unencrypted mobile storage device.
The download happened on Dec. 18. DEW officials were alerted to the download by security software. The next day, SLED launched an investigation and the employee – whom DEW officials have not named – was suspended without pay. DEW fired that employee Tuesday and began preparing to notify the 4,658 people affected by the breach.
Only current and former employees of DEW and their dependents of were affected. Personal information of the approximately 17,000 people now receiving unemployment benefits in South Carolina was not affected.
SLED has since recovered the device with the information on it. But the investigation is ongoing, and the employee – who was authorized to view the information but not download it to an unencrypted device – has not been charged with a crime. DEW officials think the employee did not intend to steal the information but did not follow established agency policy about downloading personal information, which requires it be downloaded only with permission onto encrypted devices.
“This is exactly what should have happened. Our security measures detected these downloads and DEW promptly began a full investigation,” agency executive director Cheryl M. Stanton said in a written statement. “We don’t know that the information has been further compromised, but out of an abundance of caution we are notifying those employees and individuals impacted so they can take necessary measures to protect themselves, including signing up for the state’s free credit monitoring.”
This is the fourth time since 2012 that personal information in the custody of state government has been compromised:
• In April 2012, an employee of the state Department of Health and Human Services stole the personal information of more than 228,000 Medicaid recipients. Christopher Lykes later was arrested. He pleaded guilty to four counts of willful examination of private records by a public official and a count of criminal conspiracy. His sentencing is pending
• In October 2012, an international hacker stole the personal information of 6.4 million consumers from the S.C. Department of Revenue. South Carolina since has spent more than $20 million to offer free credit-monitoring services for S.C. residents and to upgrade the government’s digital security.
• In October 2013, someone stole a laptop with the names and Social Security numbers of 3,432 people who bought insurance through the S.C. Health Insurance Pool.
Digital security is an issue in the governor’s race. Likely Democratic candidate state Sen. Vincent Sheheen has criticized Republican Gov. Nikki Haley for waiting 10 days before notifying the public of the breach at the Department of Revenue. DEW officials – who report to the governor – waited almost a month to begin notifying employees, officials said, because it took that long to verify all of the people who were affected.
“We worked with SLED for the last month to the fullest extent possible on the investigation to make sure we had the most accurate information to give employees, including reviewing each and every file to identify each individual impacted,” Stanton said.
Haley’s campaign, meanwhile, has criticized Sheheen for recommending Lykes for a promotion prior to the HHS breach.
State agencies have been extra cautious with digital information since the breach at the Department of Revenue. Last year, state agencies requested a combined $98 million for digital security. State lawmakers declined most of those requests, instead concentrating on a statewide strategy that would cover all agencies. Gov. Nikki Haley’s executive budget proposal for the budget year that begins July 1 recommends spending more than $22 million on technology security upgrades.