COLUMBIA, SC (WIS) - "This is not a good day for South Carolina," said Governor Nikki Haley. "South Carolina has come under attack by an international hacker."
State officials revealed Friday that someone in a foreign country gained access to the South Carolina Department of Revenue's website and a server was breached for the first time in late August.
387,000 credit and debit card numbers and 3.6 million social security numbers, all unencrypted, have been exposed.
Of the credit cards, the vast majority are protected by strong encryption deemed sufficient under the demanding credit card industry standards to protect the data and cardholders, DOR officials said. However, approximately 16,000 were unencrypted and exposed.
Officials found out about the breach on October 10. On October 16, investigators uncovered two attempts to probe the system in early September, and later learned that a previous attempt was made on August 27.
In mid-September, two other intrusions occurred, and to the best of the department's knowledge, the hacker obtained data for the first time. No other intrusions have been uncovered.
On October 20, the vulnerability in the system was closed and, to the best of the department's knowledge, secured.
"On October 10, the S.C. Division of Information Technology informed the S.C. Department of Revenue of a potential cyber attack involving the personal information of taxpayers," said DOR Director James Etter. "We worked with them throughout that day to determine what may have happened and what steps to take to address the situation. We also immediately began consultations with state and federal law enforcement agencies and briefed the governor's office."
"When this breach occurred and it was discovered," said Keel. "it took a while for experts to determine how much data had actually been compromised.
"It was important that we had the time to work through our investigation so that we would have enough evidence to prosecute this person," said Keel.
Haley said she knows where the attack came from, but would not reveal the location of the hacker so the investigation would not be put in jeopardy. "I want this person slammed against the wall," said Haley. "I want that man just brutalized."
Keel said no state funds were touched during this data breach.
"We are going to have a very strong approach to make sure that every South Carolina taxpayer is protected," said Haley. "No taxpayer should be a victim to this. We will take care of them."
If you have paid taxes in the state of South Carolina since 1998, you are urged call 1-866-578-5422 to get an activation code to use here: http://www.protectmyid.com/scdor to see if your information has been compromised. If so, the state will provide a year of identity-theft protection and credit monitoring free of charge.
The phone line is open 9 a.m. to 9 p.m. Monday through Friday and 11 a.m. through 8 p.m. on Saturday and Sunday.
"Whatever it takes to do this, we are going to do," said Haley on potential costs for protecting residents. "This is not going to be inexpensive."
If credit card information is compromised, the best protection is to have the bank reissue the card. Anyone who has used a credit card in a transaction with the Department of Revenue should check bank accounts regularly to see if any unauthorized charges have occurred. If so, the cardholder should contact the credit card issuer immediately by calling the toll-free number located on the back of the card or on a monthly statement, tell them what you have seen, and ask them to cancel and reissue the card.
Consumers should also change any credit card web account passwords immediately when unauthorized charges are detected.
In addition to the Experian service, state officials urged individuals to consider additional steps to protect their identity and financial information, including:
- Regularly review credit reports;
- Place fraud alerts with the three credit bureaus;
- Place a security freeze on financial and credit information with the three credit bureaus.
Here's how to contact all three credit bureaus:
Equifax Fraud Reporting
P.O. Box 740241
Atlanta, GA 30374-0241
Experian Fraud Reporting
P.O. Box 9532
Allen, TX 75013
TransUnion Fraud Reporting
Fraud Victim Assistance Division
P.O. Box 6790 Fullerton, CA 92834-6790