COLUMBIA, S.C. — State officials did not do enough to prevent a cyberattack at South Carolina's tax collection agency that exposed the personal data of nearly 4 million individual filers and 700,000 businesses, Gov. Nikki Haley said Tuesday.
Haley also said she accepted the resignation of Department of Revenue director Jim Etter, effective Dec. 31.
"Could South Carolina have done a better job? Absolutely, or we would not be standing here," Haley said in releasing a report from Mandiant. The computer security firm was hired Oct. 12 to close the gap and determine what happened. That was two days after the Secret Service notified state officials of the breach.
The release of Mandiant's findings follow weeks of Haley saying no one was to blame and nothing differently could have been done.
Haley said Mandiant showed the revenue department's system was vulnerable because it did not require dual verification for someone trying to access tax returns and did not encrypt Social Security numbers. But the Republican governor blamed the debacle on antiquated state software and outdated IRS security guidelines.
"This is a new era in time," Haley said. "You can't work with 1970 equipment. You can't go with compliance standards of the federal government. Both are outdated."
The hacker stole data from returns filed electronically, as far back as 1998, but mostly since 2002. The cyberthief took 3.3 million unencrypted bank account numbers, as well as 5,000 expired credit card numbers. The Social Security numbers of 1.9 million children on parents' returns were also compromised.
Haley said 3.8 million individual tax filers and 699,000 businesses should assume their entire reports were accessed.
The cyberattack is believed to be the largest on a state tax agency in the nation's history.