CHARLESTON, South Carolina (Reuters) - The head of South Carolina’s tax collection agency has resigned after hackers gained access to state computers and the personal information of nearly 4 million state taxpayers, including Social Security numbers, Governor Nikki Haley said on Tuesday.
Jim Etter, director of the Department of Revenue, will step down at the end of the year, Haley said. His resignation follows criticism that state officials took too long to disclose a huge security breach that began in August but was not publicly disclosed until October.
Hackers also stole 3.3 million bank account numbers and the tax files of 700,000 businesses, Haley said. The breach, believed to be the largest of a tax agency, affected taxpayers who filed electronically.
Haley said a report from the computer security firm Mandiant, which state officials hired to identify what information was stolen, argued the revenue department should have required dual verification to access the state’s information and encrypted Social Security numbers.
She has said there was little any state official could have done to avoid the attack.
But Haley criticized what she described as the state’s outdated computer equipment and said the Internal Revenue Service needed to toughen policies about encryption and Social Security numbers.
“The IRS, which we were compliant with, does not believe that you have to encrypt Social Security numbers,” Haley said. “Did we have a chance to do a better job? We did.”
Michelle Eldridge, an IRS spokeswoman, said in a statement that the agency used “many different systems with a variety of safeguards - including encryption - to protect taxpayer data.”
“We work closely with the states to ensure the protection of federal tax data,” she said.
Officials have said the weak spot in the agency’s system was closed down on October 20 and is now believed to be secure.
Taxpayers affected by the breach will be notified by letter, Haley said.
State Police Chief Mark Keel said an investigation into who hacked the state agency’s computers was being led by the U.S. Secret Service.
Keel would not comment on how the breach happened.
In October, State Law Enforcement Division spokesman Thom Berry said a hacker used a foreign Internet Protocol, or IP, address to gain access to the data.
The Treasury Department recently issued a report that found that the IRS paid out more than $5.2 billion in tax refunds to swindlers who filed about 1.5 million fake returns using stolen identities. The report predicted that scammers would likely swindle $21 billion more from the IRS over the next five years.
Editing by Kevin Gray and Peter Cooney