Dept. of Revenue Provides Timeline of Security Breach

This timeline provided by the South Carolina Department of Revenue details the process and procedures the Department of Revenue and the South Carolina Division of Information Technology have taken since a cyber attack on Oct. 10.

October 10:

• The SC Department of Revenue was informed by the South Carolina Division of Information Technology (DSIT) of a potential cyber attack involving the personal information of taxpayers.
• DOR worked with DSIT throughout the day to determine what may have happened and what steps needed to be taken immediately to deal with the situation.
• DOR consulted with state and federal law enforcement agencies for guidance.
• Law enforcement recommended several steps to be taken, including consulting the nation’s top cyber security firms.
• DOR assessed the top 3 recommendations from law enforcement and contacted Mandiant of Alexandria, VA.
• DOR contacted the Governor’s office.
• SLED Chief Keel briefed Governor Haley.

October 11:

• DOR met with the Governor’s office in the morning to give her a full briefing, including laying out our 4-pronged approach:

• Contract with Mandiant, which we signed on October 12 with the approval of the Governor, to find and fix the leak;
• Conduct an internal investigation of all outside contractors and certain employees to see if they have been involved with any security breaches;
• Develop of a public notification plan;
• Institute additional protection tools on our system.

• DSIT began monitoring DOR and its main servers to detect any unauthorized intrusions.
• DOR made the decision that if DSIT or DOR identified any unusual exfiltrations of data, the system impacted would be shut down immediately.

October 12:

• DOR signed a contract with Mandiant.
• Mandiant began working on plans to send surveillance and monitoring tools to be installed at DOR in SC.

October 15:

• DOR worked with Mandiant to begin installing surveillance and monitoring equipment which was completely in place within 48 hours.
• DOR began daily status update calls with complete team, including representatives from law enforcement, DSIT, DOR, Mandiant- the first call was planning session.

October 16:

• Mandiant began deploying a monitoring agent on every computer workstation throughout DOR, a process was completed by October 20.
• By the daily status call on Oct. 16, Mandiant was able to confirm that an unknown hacker or hackers probed the system in early September. We also learned that in mid-September, two other intrusions occurred, and to the best of our knowledge, the hacker obtained data for the first time.

October 18:

• Daily team status meetings were held and systems were continuously monitored.

October 19:

• Mandiant sent a four member team to begin the on-site investigation at DOR.
• DOR is still managing day-to-day business of state of SC while managing this major issue.
• DOR contacted South Carolina law firm, Nelson Mullins, about getting assistance with breach management.

October 20:

• The “hole” was closed and system was secured, to the best of our current knowledge.

October 21-25:

• We continued to monitor the system to make sure no more data was compromised.
• The number of records breached requires an unprecedented, large-scale response by the Department of Revenue, the State of South Carolina and all our citizens.
• We confirmed that NO public funds were accessed or put at risk as those servers are completely separate from those that were breached. However, approximately 3.6 million Social Security numbers may be affected. Approximately 387,000 credit card numbers were in the materials that were taken, but approximately 371,000 are protected by strong encryption deemed sufficient under the demanding credit card industry standards to protect the data and cardholders, and the others are dated from before 2003.