ATLANTA -- Gov. Nikki R. Haley said on Tuesday that South Carolina officials had not done enough to stop computer hackers who recently stole millions of personal financial records.
A new report shows that outdated computers and security flaws at the state's Department of Revenue allowed international hackers to steal 3.8 million tax records, the governor said. She announced that the agency's director, James Etter, would resign at the end of the year.
"Could South Carolina have done a better job? Absolutely," she said. "We did not do enough."
Experts say the cyberattack, which resulted in the theft of 3.8 million Social Security numbers and 387,000 credit and debit card numbers, was the largest ever against a state government agency.
On Tuesday, the computer security firm Mandiant released a report with new details about the attack. Hackers broke into the agency's computer system by sending state employees spam e-mail that contained an embedded link. If employees clicked on the link, software was activated on their computers that stole their user names and passwords, Mandiant found. Using this information, the hackers were able to log in as tax officials and steal the data.
In addition to stealing records for the 3.8 million taxpayers, the hackers stole information on nearly 1.9 million dependents and nearly 700,000 businesses between August and October.
Ms. Haley said the report revealed two basic security flaws: state employees did not need multiple passwords and user names to obtain sensitive tax data, and the state did not encrypt Social Security numbers, which could have reduced the harm if any were stolen.
The state is paying up to $12 million to provide a free year of credit monitoring and identity theft prevention to anyone affected.
One victim, Tina Mather, the owner of a catering company in Columbia, says $4,000 was stolen from her bank account and was transferred to companies in Boston and Atlanta and then to unknown people.
"It has put our life through hell trying to figure out where our money went," said Ms. Mather, whose bank is investigating and plans to reimburse her.
Ms. Haley said similar attacks would probably happen in other states if security was not enhanced. She called on the Internal Revenue Service and Congress to adopt new protocols for state tax agencies.
"Every state needs to be looking at this," she said. "It is a new part of any governor's role to make sure this data is secure."
This article originally appeared in The New York Times.