South Carolina’s Department of Revenue will give taxpayers credit monitoring and identify theft protection after it was found that 3.6 million Social Security numbers and 387,000 credit and debit card numbers were “exposed” during a cyber-attack.
Most of the credit cards are protected by encryption to protect the data. On the other hand, around 16,000 of the credit cards are unencrypted, the state said.
The state will offer one year of credit monitoring and identity theft protection for free to those affected by the breach.
Experian was hired to provide the ID theft protection for taxpayers.
No public funds were ever at risk during the incident, the state added.
The hacking was reported by the state’s Division of Information Technology on Oct. 10 to the Department of Revenue.
“We worked with them throughout that day to determine what may have happened and what steps to take to address the situation,” DOR Director James Etter said in a statement. “We also immediately began consultations with state and federal law enforcement agencies and briefed the governor’s office.”
Mandiant, an information security company, helped in the investigation and installed new equipment, software and restricted access.
Also, on Oct. 16, investigators “found there were two attempts to probe the system in early September, and later learned that a previous attempt was made in late August. In mid-September, two other intrusions occurred, and to the best of the department’s knowledge, the hacker obtained data for the first time,” the statement said.
“The number of records breached requires an unprecedented, large-scale response by the Department of Revenue, the State of South Carolina and all our citizens,” Gov. Nikki Haley added in the statement. “We are taking immediate steps to protect the taxpayers of South Carolina, including providing one year of credit monitoring and identity protection to those affected.”
Anyone who filed a South Carolina tax return since 1998 can visit protectmyid.com/scdor or call 1- 866-578-5422 to see if any private information took a hit.
“From the first moment we learned of this, our top priority has been to protect the taxpayers and the citizens of South Carolina, and every action we’ve taken has been consistent with that priority,” Etter said. “We have an obligation to protect the personal information entrusted to us, and we are redoubling our efforts to meet that obligation.”
This appears to be the largest cyber-attack against a state tax agency ever in the United States, according to The Associated Press.
The attack came from a computer with an international IP address, The AP adds.
"This is about the worst you can get," said Avivah Litan, an ID theft analyst at Gartner (News - Alert), was quoted in a statement carried by TMCnet.
"As fraud analyst, I would be most nervous about someone having access to my tax records," she added.
Edited by Braden Becker