Gov. Nikki Haley ordered her Cabinet agencies Wednesday to use state-provided computer monitoring, as taxpayers’ cost for responding to a massive security breach at South Carolina’s tax collection agency continues to climb past $14 million.
Haley said she’s taking a two-pronged approach in her 16 Cabinet agencies to secure residents’ personal information and prevent a future cyber-attack. While she can order only the agencies under her control, she encourages others to follow.
The Division of State Information Technology will watch the 16 agencies’ computer systems 24/7, adding around-the-clock monitoring by an employee to what it already provides. Haley said that allows someone to immediately respond to suspicious activity or viruses, no matter what the hour.
“International hackers are not going to do this 9 to 5,” Haley said.
Cabinet agencies will also add a service, dubbed “the hand,” which is supposed to automatically shut down a computer if a hacker is trying to transfer files out of the system.
Haley and other officials announced Oct. 26 that a hacker accessed millions of tax returns filed since 1998, exposing unencrypted Social Security numbers and bank account information. Most of the credit and debit card numbers accessed were encrypted. The number of affected taxpayers has climbed from an initial estimate of 3.6 million to 3.8 million individual files, plus 657,000 businesses.
All agencies can use the state’s IT services, but they aren’t required to. Before the breach, the Revenue Department was among the agencies that turned down the division’s offer for free full system monitoring. While it used its sensors on many computers, the data was taken from servers, according to the Revenue Department.
It became the state’s 54th agency to fully sign on Oct. 20, the day Revenue officials have said the breach was closed. The division also monitors the systems of school districts, counties, public libraries, cities, and utilities across the state.
Haley said Wednesday it was “the hand” that closed the security gap. It’s provided by Mandiant, the computer security firm Revenue hired to investigate the hacking. Expanding the officially named Mandiant Intelligent Response will cost $160,000 for equipment, paid for with federal Homeland Security money, Haley said.
Five Cabinet agencies don’t use the state technology division’s services: the State Law Enforcement Division, Department of Public Safety, and the unemployment, Medicaid, and transportation agencies.
They must buy equipment for the 24/7 monitoring to work, costing a combined $560,000 in one-time money, plus $65,000 yearly in licensing fees. The around-the-clock monitoring will require the information technology division to add four employees, likely transferred from within Cabinet agencies, according to the governor’s office.
Haley has been urging residents to sign up for a credit monitoring service paid for by the state. As of Wednesday, nearly 790,000 people had signed up for Experian’s ProtectMyID service, which monitors reports across all three credit bureaus and notifies residents when new accounts are opened. Haley negotiated a $12 million flat fee on the cost of the one-year service and an Experian-operated call center.
The initial contract, signed Oct. 26, called for the state to spend $15.35 per person who signed up for ProtectMyID, plus $720,000 for the call center. The negotiated change was signed Nov. 9, according to contracts provided to The Associated Press and other media on Wednesday.
Other costs are open-ended.
The Revenue Department has estimated spending $500,000 for Mandiant, $100,000 for outside attorneys and $150,000 for a public relations firm. But those costs will depend on the total hours those firms eventually spend on the issue.
The agency also expects to spend $741,000 to mail letters to an estimated 1.5 million out-of-state taxpayers, as required by law. As of Wednesday, no letters had gone out.
Haley said 7,100 business owners had signed up by Tuesday for a similar monitoring service for businesses. Dunn & Bradstreet Credibility Corp. is providing that service for free to both businesses and the state.
Haley hopes to lay out details of the investigation later this week, but the timing will depend on Mandiant, which is combing the files to determine exactly what happened. Officials hope it will be able to determine exactly whose information was taken. At this point, officials say, anyone who’s filed a tax return since 1998 should assume their entire tax returns were compromised.
Haley decided to stay in-state because of the breach, skipping the annual Republican Governors Association conference. Haley, a member of the RGA’s executive committee, was supposed to speak Tuesday night at a Goldwater Institute dinner in Phoenix, but didn’t. Then she planned to fly to Las Vegas for the association’s biggest event of the year, which runs Wednesday through Friday, and return on Saturday.
“She felt she needed to focus on what was going on here,” said Haley senior adviser Tim Pearson, who left Haley’s office as chief of staff last month to manage her potential run for re-election.