The impending departure of the head of the state Department of Revenue is not surprising, given the magnitude of the security breach we have suffered.
It's hard to rebuild confidence in an agency run by the same people who oversaw such big mistakes. And big mistakes were made. This breach could have been prevented, or at least made much less likely, if appropriate security steps had been taken, particularly the encrypting of sensitive personal tax information sitting in agency servers.
Unfortunately, the number of people affected has only climbed as the investigation into the hacking continued.
The tally now: 3.8 million Social Security numbers, 3.3 million bank account numbers, data belonging to 699,900 businesses and 5,000 expired credit or debit cards were stolen or potentially stolen, according to Mandiant, the firm hired to find out what happened and how it happened. Hackers only took information from people who had filed returns electronically.
What is going on at an agency that routinely handles this much sensitive information, but has an employee who clicks on a link in an email triggering software that steals his user name and password?
In all, the hackers compromised 44 systems at the Revenue Department, installed a "back-door" entry on one, and stole files or back-up data on three systems, using 33 unique pieces of malicious software and programs, according to Mandiant and reported by The Greenville News.
Gov. Nikki Haley said Tuesday that two deficiencies led to the security breach -- the lack of a dual verification requirement to prevent remote access to the system and the failure to encrypt data.
Haley said the agency didn't encrypt its data in storage other than credit cards because the Internal Revenue Service doesn't recommend encryption for Social Security numbers. She said she sent a letter to the IRS last week suggesting that the agency require all states to encrypt their data.
But some states figured out on their own that such information should be encrypted. North Carolina and Georgia, for example, already encrypt all their data.
Haley said the state knows whose information has been compromised, and they will either receive email or a letter notifying them.
But the state must do more than that. If an email isn't seen or a letter doesn't reach someone, that person (and their children) could be at serious risk of identity theft and fraud. They might assume incorrectly they were one of the fortunate ones whose information wasn't stolen.
There should be a separate way for people to proactively check their status. Nothing should be left to chance.
And the state should offer individuals whose information is at risk the same protection that businesses are receiving: free lifetime credit monitoring.
Right now, the state has a $12 million contract with Experian to offer a year of free credit monitoring and insurance. After that, individuals will have lifetime credit fraud resolution. How that will work hasn't been explained in any detail. And only those people who sign up with Experian get those protections. Businesses can sign up for free lifetime credit monitoring from Experian and Dun & Bradstreet.
The state owes the people who have been put at risk lifetime protection. The onus should be on the state, not individuals, to protect credit records and prevent fraud. We had no choice in submitting sensitive information to the state, and people have been encouraged to file their taxes electronically.
Lawmakers and the governor have more work to do. They must make sure that sensitive data handled by all state agencies is protected as well as it can be. Consistent standards must be in place. They also should be prepared to spend much more than the $14 million paid out so far, which includes $800,000 for extra security measures; $500,000 to Mandiant; $100,000 to outside attorneys; and $150,000 to a public relations firm.
We may know how the hackers broke into the system and what they took, but this is far from over for state officials and millions of South Carolinians.