South Carolina Taxpayer Data Breach Report Shows Protections Inadequate, Attorney Says

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

RALEIGH, N.C.--A recently released report analyzing a cyber-attack on the South Carolina Department of Revenue's database demonstrates the inadequacy of taxpayer protection efforts by state agencies and officials, a lawyer who filed a lawsuit over the issue told BNA Nov. 26.

John D. Hawkins, an attorney based in Spartanburg, S.C. and a former GOP state senator said that findings by Mandiant, an Alexandria, Va.-based data security services company hired by the state to perform an incident response, provide “ additional verification to what our investigation had already found … that there was gross negligence on the part of these defendants.” In addition, Hawkins said, “the governor's initial insistence that nothing could have been done to stop [the attack] clearly was not correct.”

The state revenue agency announced Oct. 26 that Social Security numbers and credit and debit card numbers were exposed in a September cyber-attack, then later revealed that tax information from businesses also was exposed through the breach (11 PVLR 1624, 11/5/12).

Hawkins alleged in a state court class action complaint he filed on behalf of affected taxpayers that state officials, agencies, and a data security contractor failed to adequately protect the taxpayers' data or properly notify them of the breach (11 PVLR 1658, 11/12/12).

After learning of the breach, the agency took steps to address the vulnerabilities to its system, including contracting with Mandiant to perform an incident response.

Malware Opened by Agency Employee.

Mandiant's investigation aimed to determine how the attack took place, if it was ongoing, and the scope of the data compromise. Short- and long-term remediation plans and activities also were part of the company's charge.

According to Mandiant's report, released Nov. 20, the attack appeared to have begun through a phishing email sent to multiple Department of Revenue employees. At least one agency employee clicked on a link embedded in the email, which likely executed malware that stole the worker's user name and password, the company said in its report.

Those credentials were later used to access other agency systems and databases and install malicious software. A total of 44 systems were compromised by the attacker, and at least 33 pieces of malicious software and utilities were used to perform the attack and steal data, the report found.

In a press conference held the day the report was released, Gov. Nikki Haley (R) said two major vulnerabilities were uncovered: the system did not require dual verification for access, and Social Security and bank account information was not encrypted.

According to Haley, the investigation determined that the Social Security information of 3.8 million taxpayers, information belonging to 699,900 businesses, 3.3 million bank accounts, and 5,000 credit cards were compromised through the attack. The attack only impacted filers of electronic returns, and all affected taxpayers have been identified and will be notified, the governor said.

Governor Calls on IRS to Require Encryption.

Haley said the state's use of “1970 equipment, combined with the fact that we were IRS-compliant” was “a cocktail for an attack.” According to the governor, “every state needs to be looking at this.”

Haley Nov. 20 sent a letter to the IRS calling on the federal agency to require states to encrypt stored tax information.

Haley asserted in the letter that “more troubling” is that the IRS's “Tax Information Security Guidelines for Federal, State and Local Agencies” (IRS Publication 1075) appears to not require federal agencies, including the IRS, to encrypt stored taxpayer data.

“I'm not waiting on anybody to tell me what compliance means anymore,” she said during the press conference.

Haley also announced that she had accepted the resignation of Jim Etter, director of the state revenue agency. “We need a new set of eyes on the Department of Revenue,” the governor told reporters.

Hawkins told BNA that “it's simply unconscionable that Social Security numbers were not encrypted” by the South Carolina Department of Revenue. Hawkins said that it was his understanding that other states--including neighboring Georgia and North Carolina--do encrypt such data.

In a statement provided to BNA Nov. 26, Michelle Eldridge, spokeswoman for the IRS, said protecting taxpayer information is a top priority of the agency and a variety of safeguards to accomplish that goal are in place. The agency has “a robust cyber security process involving technology, people and process to monitor IRS systems and networks,” she said.

According to Eldridge, the agency works closely with states to ensure the protection of federal data and has a “long list of requirements” for handling and protecting such information. “Just as importantly, we expect the states to follow the standards of the National Institute of Standards and Technology,” she said.

By Andrew M. Ballard  

Full text of Mandiant's “South Carolina Department of Revenue Public Incident Response Report ” is available at

Full text of Haley's letter to the IRS is available at

The IRS's “Tax Information Security Guidelines for Federal, State and Local Agencies” (IRS Publication 1075) are available at

Request Bloomberg Law: Privacy & Data Security