The South Carolina Department of Revenue on Friday announced that approximately 3.6 million Social Security numbers and 387,000 credit and debit card numbers belonging to South Carolina taxpayers have been exposed in a cyber attack.
Of the credit cards, the vast majority are protected by encryption deemed sufficient under the demanding credit card industry standards to protect the data and cardholders. Approximately 16,000 are unencrypted, S.C. officials said.
To protect taxpayers, the state will provide those affected with one year of credit monitoring and identity theft protection. Officials emphasized that no public funds were accessed or put at risk.
"On October 10, the S.C. Division of Information Technology informed the S.C. Department of Revenue of a potential cyber attack involving the personal information of taxpayers," said DOR Director James Etter. "We worked with them throughout that day to determine what may have happened and what steps to take to address the situation. We also immediately began consultations with state and federal law enforcement agencies and briefed the governor?s office."
DOR contracted information security company Mandiant to assist in the investigation, help secure the system, install new equipment and software and institute tighter controls on access.
On October 16, investigators uncovered two attempts to probe the system in early September, and later learned that a previous attempt was made in late August. In mid-September, two other intrusions occurred, and to the best of the department's knowledge, the hacker obtained data for the first time. No other intrusions have been uncovered at this time. On October 20, the vulnerability in the system was closed and, to the best of the department's knowledge, secured.
"The number of records breached requires an unprecedented, large-scale response by the Department of Revenue, the State of South Carolina and all our citizens," said Governor Nikki Haley. "We are taking immediate steps to protect the taxpayers of South Carolina, including providing one year of credit monitoring and identity protection to those affected."
The state's Department of RevenueAnyone added that anyone who has filed a South Carolina tax return since 1998 is urged to visit protectmyid.com/scdor to determine if their information is affected. If so, the taxpayer can immediately enroll in one year of identity protection service provided by Experian.
Experian's ProtectMyID Alert is designed to detect, protect and resolve potential identity theft, and includes daily monitoring of all three credit bureaus. The alerts and daily monitoring services are provided for one year, and consumers will continue to have access to fraud resolution agents and services beyond the first year.
In addition to the Experian service, state officials urged individuals to consider additional steps to protect their identity and financial information, including:
- Regularly review credit reports;
- Place fraud alerts with the three credit bureaus;
- Place a security freeze on financial and credit information with the three credit bureaus.
If credit card information is compromised, the best protection is to have the bank reissue the card.