A tiny bit of a mystery was solved this week when The Post and Courier’s Jessica Holdman reported that it was a contractor, and not a state employee, who opened the cyberdoor a decade ago that allowed hackers to steal the Social Security numbers and other sensitive data of 6.4 million S.C. taxpayers.
It’s unlikely that we’ll ever learn many more details, such as who actually stole our data from the S.C. Department of Revenue or whether the state paid ransom in an effort to keep the data from being sold on the dark web — much less how much if it was paid and what became of the data if no ransom was paid.
And while we’d love to know the answers to those mysteries, it’s hard to criticize state officials for refusing to say — particularly since the FBI took over the investigation and put a freeze on releasing details. Nor is it entirely clear that the FBI is wrong to limit information about cybercrimes that could involve ransom: If governments and businesses announced that they had not paid ransom, then the very strong implication would be that everyone who doesn’t say that did pay. And that would provide hackers information about who they should target.
In any event, there are more important lingering issues to deal with than whether and how much ransom might have been paid.
In the decade since hackers breached the Revenue Department, such crimes have come to be seen as inevitable. We barely notice when the latest mega-corporation announces that its records have been hacked. If we aren’t having our credit monitored, then shame on us.
But South Carolina’s data breach wasn’t inevitable, and even though it happened at the dawn of such massive breaches — it was at the time the largest state government data breach in U.S. history — it wasn’t so early that there was no way to prevent it.
Criminals got their hands on our most sensitive financial information because that unidentified contractor opened a phishing email — which even in 2012 we all knew was dangerous.
The breach was consequential because the Revenue Department didn’t bother to encrypt the personal information we were all required by law to provide to it; that’s also something that was met with a “duh” from most people even back in 2012.
Compounding the problem, the criminals had a month to snoop around inside the agency’s computer system looking for the best information to steal, because the vital position of computer security director had been vacant for a year, because Revenue Director James Etter just didn’t consider the cybersecurity post important enough to fill.
That is, this wasn’t simply a failure of security. It was a failure of governance, based on a bad decision made by an agency director. And yet then-Gov. Nikki Haley declared repeatedly that no one in South Carolina could have done anything to prevent the breach.
As such, it should serve as a reminder to state and local agency directors of how important it is to fully understand the full scope of their duties, and not just their primary mission — and as a reminder to state legislators and governors of how important it is to fully understand the work that is done by state agencies, and ensure that it’s being done, even if it isn’t the priority of an individual director.
Fortunately, cybersecurity no longer has to be as high a priority for every agency director as it was a decade ago. After two years of treading water, the Legislature finally responded to the breach by creating a central authority to set and enforce internet security standards across the government. This replaced a system that left that job to individual agency directors, who aren’t experts in cybersecurity and might not want to spend money or adopt time-consuming security procedures to protect our personal data.
But at the Revenue Department, across state and local government, in our businesses and in our personal lives, security still ultimately relies on the decisions every one of us makes every time we receive an email or text that asks us to click a link or open a document or provide passwords or other sensitive information. At the most basic level, security requires that we recognize that such requests should never be taken at face value, unless they are replying to requests we made of the sender.
Government agencies and businesses should have policies against such actions, and they should enforce them through random checks — IT departments sending out suspicious emails to see who falls for the bait, for instance — followed by education and, if necessary, punishment for people who are exposing those entities to threats.
It might well be that hackers wouldn’t be able to make off with millions of our state tax records again, but as we are reminded every day, there’s no shortage of hackers, and there’s plenty of other damage they can do if we don’t all keep up our guard.