An ad from the Democratic challenger in the South Carolina governor’s race says that when hackers stole 3.6 million Social Security numbers from state computers, Gov. Nikki Haley “hid it from us for over two weeks” — but the ad fails to mention that Haley’s silence was at the direction of state and federal investigators.
“She did what we asked her to do,” State Law Enforcement Division Chief Mark Keel told FactCheck.org.
Haley’s Democratic opponent, state Sen. Vincent Sheheen, has repeatedly criticized Haley for her handling of a security breach at the Department of Revenue that led to a hacker obtaining the personal data of millions of South Carolina taxpayers. Haley initially said the state had done nothing wrong, though she later acknowledged that the state could have done more to protect sensitive data.
The ad takes particular issue with Haley failing to notify state residents about the security breach for just over two weeks.
According to the ad’s narrator, “When our credit card company saw suspicious activity on our card, they called us right away. We can’t say the same for Nikki Haley. When hackers stole the Social Security numbers of 3.6 million South Carolinians, Haley hid it from us for over two weeks. The biggest security breach of any state agency in history. Putting our personal information at risk. And not even a warning from Haley for weeks. When it comes to protecting us, we just can’t trust Nikki Haley.”
The Sheheen ad is airing statewide and is part of a six-figure media buy, the Sheheen campaign told South Carolina newspaper The State. Polls show a tight race between Sheheen and Haley, with three other candidates, independent Tom Ervin, Libertarian Steve French and United Citizens candidate Morgan Bruce Reeves, trailing much further behind. The election is on Nov. 4.
A Historic Cyberattack
On Oct. 26, 2012, Haley’s office announced that someone had hacked into the state Department of Revenue’s computer system and had stolen 3.6 million Social Security numbers and nearly 400,000 credit and debit card numbers. Investigators later said hackers gained access to information from electronically filed tax returns after a state employee opened an email that downloaded malware onto the computer.
At the time, The State reported that it took state officials 10 days to close the hacker’s access, and that the public was informed six days after that. State Law Enforcement Division Chief Mark Keel said that affected taxpayers were not notified sooner to allow law enforcement time to gather evidence and reach “certain benchmarks in their investigation.”
Keel has maintained that position. He told FactCheck.org that Haley was specifically instructed by him and federal law enforcement officials not to publicly disclose the cyberattack to give investigators time to make some headway.
“Both myself and the special agent in charge at the Secret Service, we asked that [Haley] not go public until we reached certain benchmarks in our investigation,” Keel told FactCheck.org in a phone interview. “She did what we asked her to do.”
That key detail is left out of Sheheen’s attack ad.
Keel said he could not be more specific about what the investigative benchmarks were, since the investigation is still ongoing. No arrests have been made, but some media outlets have reported that it is believed the scheme originated in Russia.
“Once this gets completed, everyone will understand why we did what we did,” Keel said.
“We were doing what we felt was in the best interest of the citizens of our state,” Keel said, adding that the delay was deemed the “best [way] to protect our citizens.”
“I’d like to think that whoever was governor of our state and had all the facts would have done what [Haley] did,” Keel said. “When we accomplished what we set out to accomplish, we told her we’re ready to go public. It wasn’t like she wasn’t wanting to go public every day, but she listened to us.”
“There’s no doubt in my mind we wouldn’t have been able to accomplish what we did” had Haley made the breach public, he said.
The state offered a year of free credit monitoring and identity theft protection to those whose information was stolen, although there have been no reports yet of anyone losing money due to the hacking.
In her initial response to the cyberattack, Haley said there wasn’t anything the state government “could have done … to avoid it.” A month later, after the release of a report from a computer security firm hired to find out how the breach occurred, Haley acknowledged that “we should have done more than we did” to protect the data, including encryption of all data. Haley also announced that the director of the Department of Revenue, Jim Etter, would resign at the end of the year, after the two agreed, she said, that “we need a new set of eyes at the Department of Revenue.”
A portion of the report prepared by Mandiant, the cybersecurity firm hired in the wake of the hacking revelation, was made public, but a more detailed report prepared for the state’s constitutional officers still has not been released. Sheheen has called for the report to be fully released publicly, a move that both the South Carolina Law Enforcement Division and Secret Service oppose.
Sheheen has been critical of the Haley administration’s actions both before and after the cyberattack, and that’s certainly ripe for political debate. But the ad focuses on the 16-day delay in informing the public, and the delay was at the behest of law enforcement.
Haley campaign spokesman Rob Godfrey said in an email to FactCheck.org that disregarding law enforcement’s request would have amounted to “obstruct[ing] a criminal investigation.”
Godfrey, Aug. 22: Even a politically desperate trial lawyer like Vince Sheheen should know better than to obstruct a criminal investigation. It’s shocking that Vince, as governor, would disregard the request of SLED and the Secret Service and compromise the effort to arrest the criminal hacker.
Kristin Sosanie, a spokeswoman for the South Carolina Democratic Party, said in a phone interview with us that “law enforcement is always going to err on the side of wanting to keep things more private.” But Sheheen argues that the public’s right to know was more important in this case, she said. “It’s the job of the governor to weigh the public right to know and law enforcement’s tendency to want to keep things private as long as they can,” Sosanie said.
Ultimately, whether Haley should have disregarded law enforcement’s request is a matter of opinion. But that request is a critical piece of information for voters to know when weighing Haley’s decision to delay going public with the security breach.
— Robert Farley