Haley: Blame the hacker, not the government

When I heard Nikki Haley was going to hold a presser this morning to call about most of our tax returns being stolen from the Department of Revenue, my first thought was to wonder whom she would blame for a failure at her agency.

As it happened, she said that no one was to blame except the hacker — whom she portrayed as some sort of unstoppable super-villain.

She could be right as far as my knowledge of such things extends, although perhaps some of y’all may have other thoughts.

Anyway, here are some highlights of what she said:

  • More than 150,000 people have signed up now for the protection being offered by the state.
  • We have until the end of January to sign up for the credit protection that the state is offering, and the protection will be retroactive. (I don’t know how that works, but that’s what she said.)
  • If you don’t have a computer or Internet access, call DOR and someone will do it for you while you’re on the phone. (Someone noted that people were having trouble getting through. Nikki said she and her husband got right through on Saturday, but then, they called during the Gamecocks’ game. She noted that for most people, it’s taking about 12 minutes to get through.)
  • “We don’t know whose information was compromised.” SLED Chief Mark Keel, to whom the governor deferred repeatedly during the event, said it could be weeks before that is known.
  • No one knows yet how much it will cost for the state to provide the ID protection it is offering to citizens free of charge. “We are in negotiations with Experian” on that, she said. The cost depends on how many sign up. All she could say was that the state will get a wholesale rate.
  • How will it be paid for? She said that would be up to the General Assembly; the money will have to be appropriated.
  • Why not just go ahead and enroll everybody in the protection? she was asked. Because tax records are confidential, and the state is not allowed to sign someone up for something that they might not want, she said.
  • Most Social Security numbers are not encrypted, she said, either in the private or public sector. “This is not just a DOR problem; it’s an industry problem.” She said it was “the industry standard” that such information would not be encrypted.
  • How will minors be covered? In the coming weeks, people who signed up for protection will get the opportunity to sign up for family plans to cover the children associated with their accounts.

When asked whether anyone in her administration has been disciplined over this, she said, “The person I hope will be disciplined is this international criminal that came in and hacked.”

“This wasn’t an issue where anyone in the agency could have avoided it. This wasn’t an issue where anyone in state government could have done something to avoid it. This is a situation that a sophisticated, intelligent criminal got into a database, that is unbelievably creative on how he did it, and now we’re having to deal with it,” she said. Earlier, she had said, “You know, it’s amazing, because when you are dealing with international hackers, you are dealing with a new, sophisticated type of intelligence that a lot of us have not dealt with.” She said if the CIA can be hacked into, anyone can.

“It’s the new world in which we live in,” she said.

As for the point on which she is most vulnerable to criticism, she pointedly did deflect responsibility. She insisted that citizens were not notified earlier because she deferred to the judgment of law enforcement professionals, and said that was the appropriate thing to do in such a situation. In fact, emphasizing that she doesn’t accept blame for that, she had Mark Keel start off the press conference.

“I know that much has been made about the timing of making this public,” said Keel. “The timing of notifying the public… was dictated by law enforcement. It was done because we were conducting an investigation. We were trying to … protect this information as much as we possibly could, and by allowing us the time that we had to conduct our investigation, we believe that this information was better protected than it would have been otherwise.”

“It was done because we asked the administration to allow us time…,” he said.

Nikki Haley’s summary on it all? “It’s not the crisis itself; it’s how you handle it.” And she insisted over and over that the protection being offered to citizens after this breach is second-to-none. She said her family’s information was hacked several years ago, and “I wish we’d had what we are offering today.”

37 thoughts on “Haley: Blame the hacker, not the government

  1. Rose

    She also said that the holes were plugged, which contradicts her statement that nothing could have been done to stop the hacker. So which is it?

  2. bud

    You know how you can tell when a GOP politician is lying? Her lips are moving. Ok that’s an old joke usually referring to any politician. But how can both parties be treated the same when it comes to the dishonesty factor? Here we have Haley passing the buck on this extremely important issue. That’s not leadership, that’s pandering.

    Then there’s Mitt Romney stating that Chrysler is moving 100% of it’s Jeep production to China. Completely not true. That’s bad enough but then Mitt actually made a commercial making the same point. Why anyone, except for the extremely wealthy, would vote for a candidate with an R beside their name is beyond my ability to understand.

  3. Juan Caruso

    Have wondered since 1987 why Social Security numbers are not issued with the option of password protection.

    You mention that Gov. Haley directs blame toward (an unknown) hacker, but fail to tell us whether you think her direction is inappropriate where criminality is involved.

    The federal government (not my role model for good management practices) did likewise when 26.5 million Social Security numbers for active duty troops and veterans were on a missing laptop that disappeared in the custody of a Veterans Affairs data analyst in 2006.

    Thanks for your synopsis, BW, as I had no time to listen/watch the ‘presser’.

    Had hoped the breach applied only to those willing sheep who had filed electronically, but that has not been made clear.

  4. Brad

    Good point, Rose. That IS essentially what she said… There was nothing that could have been done, and now that we know, we’re doing it…

  5. Betsy DuBard

    So I’m supposed to call a number I may or may not be able to get through to, sign up for something I may or may not need,for which the money may or may not be appropriated, and that may or may not work. Um. Okay.

  6. Anne

    Speaking of paying for it, given that they published the access code (and it would be easy enough to get anyway), our state will end up paying for anyone else who can type in the code. This whole thing is annoying.

    As an aside, I’m not really freaking out about having my identity stolen. There are a million other ways (okay, at least 20) someone could get my information.

    But still, this is annoying, and will be a huge expense to our state that possibly could have been avoided.

  7. Anne

    Also? I think she’s lying about calling the number. She’s the flippin’ governor. Why wouldn’t they just tell her the code? That wouldn’t even bother me.

    I think it’s all Michael’s fault. She TOLD him not to play games on her laptop, he broke the rule, and hit the wrong buttons.

  8. Doug Ross


    It’s free… it takes less than five minutes to sign up. You don’t need to call the phone number, just go to the website.


    activation code: scdor123

    Put in you name, address, ssn, birthdate… verify your information, you’re done.

    As long as the hackers spend less than my wife, I’m okay with this.

  9. Steven Davis II

    In other words, nobody’s butt at DOR is in a sling over this. Anywhere else people would have been cleaning out their desks the day it was found.

    How is the credit protection being paid? Isn’t this normally $30-$40 per year per SSN? Gets a little expensive when you have millions of SSN’s to cover. Maybe the state can impose a penny tax.

  10. Silence

    @ Rose – that statement struck me as nonsense too.

    @ Juan, that’s a good question, and one that I was wondering myself. If there was some sort of of two factor-identification for a SSN it would make sense.

    @bud – I don’t see this as a partisan issue. I also don’t see it (yet) as the Haley administration having done anything wrong.

    I do hope that the investigation will be transparent, and that the neccessary security enhancements will actually be implemented. In the case of some of this type of data, perhaps a physical separation – an air gap- between personal information servers and the internet is warranted.

  11. Lynn

    Don’t be surprised to find the call center is off shore.

    Why when the DMV was hacked in Jan/Feb were other agencies with CRITICAL data not taking action to protect their databases?

    Not my fault, says the accountable Gov. I know who I hold accountable.

  12. Patricia Finley

    Nikki Haley is an idiot – it is somebody’s fault – hers. This Breach could have & should have been prevented-its called encryption & anybody responsible for servers knows this. Just about every company in the private sector encrypts social security numbers. If they didn’t – Heads would roll. That is a violation of Sarbanes-Oxley. This should have never happened in the first place if she had decent IT people. I want more than one year of protection – 5 years from now if someone steals my social security number – I am going to sue the hell out of SC and it WILL be Nikki Haley’s fault. Bet these people don’t answer the phone Its a great day in SC!!

  13. bud

    Silence, this shouldn’t be a partisan issue. So let’s leave party out of it. But it is troubling to me that our governor is passing the buck and uttering silly stuff like “we called the number and got through immediately” or “there was nothing we could have done about it”. Just admit that a breach occurred. That the breach was unfortunate. And finally that the breach has (or will be) repaired. Haley’s tone on this issue is just off-putting to the max.

  14. T.J.

    As a member of the private sector, we do in fact encrypt social security numbers and other data defined as “NPI” under Sarbanes-Oxley and GLBA.

    We actually spend a fair amount of money every year making sure our system is secure and up to standard. The technology test my company is required to pass is called an “SSAE-16”. We also do third party penetration testing to examine for vunerabilities. If we do have a breach, we have 24 hours to notify our clients, and 48 hours to notify consumers. Obviously, the state of South Carolina is not nearly as sophisticated or stringent with their IT requirements.

    Stating that this would happened in the private sector is a factually suspect at best. If it happened in the private sector, that company would not be in business after the lawsuits it would face.

  15. Doug Ross

    @Burl says

    “Apply her logic to the current GOP rage about Benghazi.”

    Exactly. We’re still waiting on the Obama administration to tell the real story of what happened weeks ago. And every new fact that comes out makes them look worse and worse.

    Or is that not what you meant?

  16. `Kathryn Braun Fenner

    Put a freeze on your credit. You can unfreeze it when you need to, but it is the best defense against identity theft. It is free to SC residents by law.

    Much better than monitoring.

  17. Mark Stewart

    So let me get this right; a sophisticated international hacker started with an attack on South Carolina?

    Is it not more likely that they instead broke into the weakest, best target? Probably after having probed 30-40 other state’s systems before working down to SC?

    Most likely, DOR had one of the worst, if not the worst, state IT security systems in place nationally. I didn’t expect Haley to admit that, but I would have expected something other than “we are innocent victims.”

  18. Brad

    By the way, this release from Vincent Sheheen came in late Friday afternoon, but I’m just getting to it today (hey, I had shows Friday and Saturday nights!):

    Columbia, SC – State Senator Vincent Sheheen today called Governor Nikki Haley’s decision to delay informing the public of the massive identity theft from the state’s Department of Revenue unacceptable.

    “State leaders have a responsibility to inform the public of news like this in a timely manner. Whether its good news or bad news, like this, the public deserves to know.”

    “I often refrain from criticizing the administration, but enough is enough.”

    “For Governor Haley and her administration to withhold news from us for sixteen days that our personal identity information has been stolen from state computers is completely unacceptable. And to wait until a Friday afternoon to release this information is nothing more than a slick public relations trick trying to minimize political damage. “

  19. `Kathryn Braun Fenner

    I have read that SC was at the top of several lists for most-hackable. There has been plenty of notice that we are vulnerable. I guess if you are off raising money across the country….

  20. bud

    and how convenient that the storm of the century is burying all the news of SC’s disgrace….

    Not to mention the election.

  21. tired old man

    To all:

    Politics is involved.

    Our governor has been trotting all over the country in behalf of a presidential candidate instead of staying at home, behind her desk, providing executive oversight over the Cabinet agencies entrusted to her by the Legislature.

    Compounding this is that she has appointed a rookie, green, inexperienced and woefully young personal staff — and we have to wonder if seasoned executives would not have been more aggressive at managing the Cabinet bureaucracy. The fact is, she has traded away more than one Darla Moore for a small-town political donation.

    This points to the fact that Nikki does not have a world view. She grew up in Bamberg, literally and figuratively in the Third World.

    She was an inconsequential small county legislator, whose sole contribution was something to do with regulating beauty shop shampoos.

    She was placed in charge of a $20 billion a year enterprise, and she has enjoyed herself immensively while avoiding any degree of sweat.

    I saw where someone said this was the equivalent of Hugo, and it may well be before this runs its course through every household in SC (3.6 million returns, 4.6 million citizens).

  22. Steven Davis II

    “I have read that SC was at the top of several lists for most-hackable.”

    As someone who works in IT, I’d like to see such a list, please post your source.

    Never knew that anyone listed states by hackability. But then I don’t listen to NPR.

  23. obiewankenobie

    Tired — are you implying Nikki Haley is a puppet? As in, the best tool in the shed when an unknown source is calling the shots?

    Are you implying that she goes limp when that unknown source isn’t moving?

    Egad, man! That’s a scary thought.

  24. Mark Stewart

    You calling Lexington an inconsequential small county, Tired Old Man?

    It’s a good thing she came into the Governor’s office with a full quiver of business savvy and experience. That’s proven invaluable for us to date.

  25. Juan Caruso

    “For Governor Haley and her administration to withhold news from us for sixteen days that our personal identity information has been stolen from state computers is completely unacceptable. And to wait until a Friday afternoon to release this information is nothing more than a slick public relations trick trying to minimize political damage. “ Sen. V. Sheheen

    As a well-heeled lawyer, Vinnie should know is opinion is without merit if SLED, the Secret Service, or the FBI had requested the delay for investigatory purposes.

    Matter of fact, BW, seasoned journalists might realize as much if they bothered to pause before shooting from their hips.

  26. kc

    I absolutely do not buy her reason for sitting on this news for two weeks. And moreover, for her to release it on a Friday afternoon is inexcusable.

    Anyone who thinks she had a good reason other than covering her butt for the delay ought to ask her what “benchmarks” were met that justified her releasing the info when she did. I’m betting it was because a news org (not The State) was getting ready to break it. I don’t believe for one minute that it had anything to do with the “investigation.”

  27. Rose

    I don’t like Haley at all, and I think the handling of this has been badly botched, but South Carolina’s IT has been woefully outdated for YEARS. I’ve heard a couple of people I know in IT talk about it many times. Then there’s this quote from Tuesday’s State paper:
    “Still, Holland, the ID theft analyst from the Boston-area research group, said not encrypting Social Security numbers in a state database, because the financial industry doesn’t do it, “sounds like a cop-out.”

    “It’s negligent not to be doing it,” he said. “Organizations not doing that are behind the times.”

    Read more here: http://www.thestate.com/2012/10/29/2499913/more-operators-added-to-try-to.html#storylink=cpy


Leave a Reply

Your email address will not be published. Required fields are marked *