South Carolina Governor Nikki Haley released a report from a security company on a data breach at the South Carolina Department of Revenue that exposed the tax information of millions of taxpayers in the state to foreign computer hackers, while asking the IRS to take further steps to encrypt taxpayer information.
Haley said the report, from the security company Mandiant, revealed that the personal information of 3.8 million electronic filers, 1.9 million dependents, 699,900 businesses, 3.3 million bank accounts and 5,000 credit cards had been compromised as a result of the data breach.
Haley said that everybody affected would be notified of the breach. Many of the bank accounts and credit card accounts have already been closed.
“The main question I asked Mandiant yesterday was: did we have a chance to do a better job? We did,” Haley said during a news conference Tuesday. “There were two vulnerabilities that we found. One was that there was no dual verification to get into the system. The second one was that the encryption of the Social Security data wasn’t there.”
Haley also accepted the resignation of South Carolina Department of Revenue director Jim Etter as of December 31. He will be replaced by Bill Blume, who currently serves as executive director of the South Carolina Public Employee Benefit Authority.
Haley noted that even though the South Carolina Department of Revenue was still using computer equipment from the 1970s, the department was nevertheless in compliance with IRS guidelines, which do not require encryption of Social Security numbers. She has written a letter to the Internal Revenue Service encouraging the agency to require all states to put stronger security measures in place for handling tax information.
“As I am sure you are aware, an international hacker recently breached the South Carolina Department of Revenue’s computer system exposing the personal information of all electronic tax filers in my state,” she wrote to IRS Acting Commissioner Steven T. Miller. “While this incident was entirely caused by a malicious criminal hacker, the investigation of how this breach occurred has unfortunately revealed that the IRS does not require encryption of stored tax data, only transmitted data.”
She noted that other federal agencies besides the IRS also do not seem to require encryption of stored federal tax information. Haley is asking members of South Carolina’s congressional delegation to address this shortcoming.
“It must be the responsibility of not only the states but also the federal government to ensure that personal, sensitive information required to be provided to the government by our citizens be vigorously protected to deter cyber-attacks and minimize exposure,” she wrote.