The hacker who reportedly accessed millions of South Carolina tax returns apparently breached state databases via two different paths, according to an official with an information-security firm hired by the state.
Marshall Heilman of Mandiant said the attacker tricked a user in the Department of Revenue’s system into opening a file that then allowed the hacker to access the system, according to a report Wednesday from the Post and Courier of Charleston.
The hacker was able to get into the system because the agency was using unsecured, third party-software, Heilman said. Using a stolen credential, Heilman says the hacker remotely accessed the agency database and stole the information.
South Carolina hired Mandiant last month after learning that more than 3.6 million tax returns going back as far as 1998 had been improperly accessed on a Department of Revenue server. Officials later said that about 657,000 business returns were also hacked, and Revenue officials told the State newspaper that the number of hacked returns had risen to 3.8 million.
Jim Etter, director of the Department of Revenue, told state senators in a hearing last month that about 250 employees had credentials to access the database. Nearly 700,000 people have signed up for free credit monitoring because of the hacking incident.
Agency officials also said that the Department of Revenue hired a public relations firm to help manage its communications after the breach. The department says it is paying $160,000 to Chernoff Newman, saying the agency does not have the resources to do all that is legally required after the breach, like place ads telling taxpayers how they can get help.
Chernoff Newman was hired just before an Oct. 26 news conference in which state officials publicly disclosed the breach, according to Revenue spokeswoman Samantha Cheek.
Chernoff Newman also helped state Health and Human Services officials earlier this year after an internal breach by an employee in which more than 228,000 Medicaid records were improperly accessed.
The leader of the South Carolina Association of Taxpayers questioned the Revenue Department’s spending records, telling the Post and Courier that the money would have been better spent preventing the breach in the first place.
“Why should these agencies be allowed to hire PR firms when they make a mistake?” asked Don Weaver, the group’s president.