Embarrassing reminders about the South Carolina Department of Revenue (SCDOR) breach continue. The Associated Press reports on testimony in yesterday’s hearing by the state’s House oversight panel:
Revenue has been criticized for not using the state information technology division’s computer monitoring services — which are offered but not required — before the hacking. While the IT division’s monitors weren’t on revenue’s servers, the agency was using the service on the desktop computers that were initially infected after an employee clicked on a phishing email.
Why, you reasonably ask, did the DOR decline the offer of free monitoring services on its systems before the breach? Good question, and I have yet to see an answer to that in the media coverage I’ve read. Nor do I know why – after knowing that they had had 22 computers infected – they decided that they still didn’t need full monitoring of their system. As one consequence of their decision-making, the DOR did not even know it had been breached and only learned of the problem when the Secret Service notified them a month and a half later. And even then, they didn’t deploy full system monitoring for another 10 days.
State IT division director Jim Earley said revenue’s former chief information officer and current computer security chief were told Aug. 13 that malicious codes were being downloaded on 22 computers. Resetting passwords was among the division’s recommendations.
Revenue officials didn’t do that. Earley told legislators he’s unsure if that would’ve prevented the data theft.
And why, you ask, didn’t they just reset their passwords when they knew that 22 computers had been infected and the state’s IT division just recommended they do that? Another fair question for which we have been given no explanation.
Read more on GoUpstate.com while I contemplate my belly button and wonder whether SCDOR would have made different decisions if they risked big salary cuts or jail time for negligent security of the public’s data.