House Committee Still Seeking Answers on Hack

Nearly four months have passed since South Carolinians were informed about an unprecedented cyber security breach of personal records at the Department of Revenue (DOR).

In response to the breach, more than one million residents have signed up for free credit protection through Experian. Both chambers of the state legislature have commenced investigations and held public hearings.

The House committee on the DOR breach has held hearings twice in the past two weeks, with the most recent being on Thursday. The first hearing featured former DOR data security chief Scott Shealy, who said he did not think cyber safety had been made a priority at the agency.

After yesterday’s hearing, where DOR Deputy Director Harry Cooper testified, the committee appears no closer to finding out what went wrong at the agency or what’s currently being done to prevent another hack from happening. 

See complete coverage of the breach HERE.

For Bakari Sellers (D-Bamberg), the frustration continues to mount.

“The lax at the DOR is shocking,” Sellers told Patch. “And frankly I don’t know how anybody would have any confidence in the data security plan at any of the state agencies besides SLED.”

While previous hearings have explained the specifics about how the breach happened and what could have been done to prevent it (a dual certification system, for example), Sellers still has plenty of unanswered questions.

He’d like to know why taxpayers paid more than a million dollars to private firms to mail notifications of the breach to residents, when the task could have been given to the Division of State Information Technology (DSIT).

“(DSIT) sends out 20 million pieces of mail every year,” Sellers said. “Why did we pay someone else to send out state mail?”

Sellers also wants to know why the full report from Mandiant—the security firm that investigated the breach—has not been made public.

He also thinks former DOR Director Jim Etter and Chief Information Officer Mike Garon need to be subpoenaed, especially Etter. “He signed contracts that put the state on the hook for $20 million. We need to hear from him.”

Etter has been unable to testify due to scheduling conflicts. The committee has not been able to get into contact with Garon and does not know his whereabouts.

Ultimately though, Sellers said, the buck stops with Gov. Nikki Haley. “Let’s not lose sight of the fact that three breaches have happened on her watch.”

That sentiment was shared by Leon Stavrinakis (D-Charleston), who is not on the committee investigating the breach, but has been following it closely.

“Gov. Haley has got to make an effort to be more transparent about what happened and about what’s being done to prevent it from happening again,” Stavrinakis said. “If these type of problems exist at another agencies we need to know what the fixes are.”

A pair of Lowcountry Republicans on the committee have also been looking for answers without much luck.

Last week, Rep. Jim Merrill of Berkeley said, ”I don’t understand why it’s so hard to determine who was in charge during the breach and who is in charge at DOR now.”

Yesterday, as Dep. Dir Cooper was explaining a series of breakdowns at the DOR, he noted that there had been a “failure of process and a failure of structure.”

“That doesn’t make me feel any better,” replied Andy Patrick of Beaufort.

Keep up with all of Patch's coverage of South Carolina politics by following us on Facebook HERE and Twitter HERE.