"This is not a great day in South Carolina," Gov. Nikki Haley said, alongside SLED Chief Mark Keel, and representatives from the state Department of Revenue as they disclosed that an international hacker was able to breach a state server and steal taxpayer information, including social security numbers and credit card information for up to 3.6 million South Carolina taxpayers dating back to 1998.
According to Keel, an international hacker first breached state servers on August 27 and began "poking around," though nothing was stolen in that initial attack. Two weeks later on October 10, the U.S. Secret service discovered a potential attack on the state's Department of Revenue that put taxpayers' data at risk and relayed the information to the state Division of Information Technology, which then started working to remedy the situation. But it was too late, the hacker had already stolen more than 3.6 million social security numbers and more than 387,000 credit and debit card numbers from the server. After another week of work, including installing monitoring measures on more than 1,500 individual DOR workstations and mainframes and addressing other potential risks, the state reports that they have closed the breach.
Officials said during a press conference Monday that it may be weeks before it's known exactly whose information was compromised, and that though every precaution was taken to fix vulnerabilities, no system is perfect.
Since reporting the attack, the state has advised anyone who has paid taxes in the state since 1998 to sign up with a state-contracted credit monitoring and protection company, Experian, which says it has already processed more than 450,000 phone inquiries and more than 150,000 sign-ups, and is ramping up its processing capabilities to reduce wait times and internet hang-ups. Haley, who says that she and her husband were victims of identity theft in the past, notes that the state will pick up the tab for one-year of credit monitoring for anyone who signs up, but that the cost, which will come from state coffers, was unknown and that the state was still in negotiations with the credit monitoring company as late as Monday afternoon. The governor added, "This is why I say ‘never spend all the money,'" criticizing legislators for "throwing money to parks and rooftops" instead of saving state funds, "this is what money should be saved for."
The October breach isn't the first information breach the state has seen this year. In April, more than 230,000 Medicare records were stolen by a state Department of Health and Human Services employee using their personal email address.
To sign up for free credit monitoring and protection, call 866-578-5422, or visit protectmyid.com/scdor using the code scdor123.