The law firm that filed a class-action complaint against the state of South Carolina and Governor Nikki Haley has added two defendants to its suit after an investigation by WMBF News sister station WIS revealed the Department of Revenue had access to free network monitoring through the state's internet technology department, but chose not to use it in lieu of a third-party vendor.
Upstate attorney and former senator John D. Hawkins said Monday the lawsuit in the case of 3.6 million tax returns being retrieved by an international hacker from one of the state's servers is being expanded to include private corporation Trustwave and the Department of State Information Technology (DSIT).
"Late last week, the media discovered that the South Carolina Department of Revenue had for the most part rejected data protection services offered by DSIT, Hawkins wrote in a news release. "On Friday, in response to an inquiry from Investigative Reporter Jody Barr at WIS-TV, SCDOR revealed publicly for the first time that in lieu of DSIT, it had elected to use Trustwave for its security monitoring services."
Hawkins contends Trustwave failed to protect public data and failed to notify the public immediately as required by state statute.
On Friday, a spokesperson for the Department of Revenue told Barr that the reason DSIT was not utilized was because the program was not PCI compliant by credit card companies to safeguard financial information. "DSIT, while a wonderful program, does not provide PCI compliance," wrote Samantha Cheek. "And therefore the department was required to use a third-party vendor such as TrustWave.
Hawkins said those reasons apply only to credit cards and not to social security numbers and do not excuse the DOR's "failure to use DSIT and other more robust and readily available security systems."
"The public is forced with the threat of jail to pay taxes and give their personal information to SCDOR, yet SCDOR took only the flimsiest steps to protect this private data, leaving South Carolina the most vulnerable target for hackers of any state of in the Union," said Hawkins.
Hawkins also questioned why Governor Haley and others failed to disclose the existence of TrustWave publicly until Friday afternoon.
Officials found out about the breach on October 10. On October 16, investigators uncovered two attempts to probe the system in early September, and later learned that a previous attempt was made on August 27.
Haley, the State Law Enforcement Division, and the Revenue Department revealed the hack to the public on October 26.
Hawkins' original class-action complaint was filed on October 31. It was amended on Monday.