Editorial: Cyber security, cyber follies
As South Carolina continues to reel from the hacking scandal at the Department of Revenue, the news that it might have been prevented by filling a single security position is simply staggering.
According to testimony in a hearing last week before a Senate committee investigating the breach, the S.C. Department of Revenue’s top cyber security position went unfilled for almost a year until last August because the state couldn’t find anyone to take the job for the proffered $100,000 salary.
In hindsight, paying the going rate would have been a bargain. A cyber security specialist might have identified problems and installed needed safeguards before the system was breached in September.And that wasn’t the only costly omission, as the committee learned.
A $25,000 system that the state is putting into service could have prevented the breach at Revenue by adding another password requirement for those logging on remotely.
That might have countered the credulous Revenue employee who was tricked into providing access to the hacker, who stole the tax data of some 3.9 million S.C. taxpayers.
The ad hoc Senate committee will continue to hold hearings periodically until the Legislature returns to session in January, and then issue a report on its findings. It should provide needed oversight and accountability on a matter of vital concern to virtually everyone in the state.
Sen. Kevin Bryant, R-Anderson, recently cited the numerous changes in the official account of the still unfolding saga.
“The facts surrounding this incident seem to change too frequently. We first were told that this was an international criminal and had nothing to do with internal activities or policy, but then we learned that the data was accessed with SCDOR employee credentials. We were told that SCDOR could have done absolutely nothing differently to protect us. We then found out, though, that not only was our data not encrypted but also that SCDOR refused a free data monitoring service offered by the state’s IT department.”
The committee co-chairman added, “I am very displeased that we continually are discovering that not only could more have been done, but also that it would have been at minimal, if any, cost.”
While Sen. Bryant takes the cabinet agency to task for its shortcomings, he does agree strongly with Gov. Nikki Haley on one issue — the need for South Carolina residents to contact the Internet security firm Experian for protection. So far, some 900,000 taxpayers have taken advantage of the protection provided by the state through Experian.
It’s time for taxpayers to contact Experian to ensure that protection will be extended before the Jan. 31 deadline. There no sense in compounding the state’s errors with procrastination.
— The Post and Courier