The Hacking of South Carolina
SC Data breach compromises 3.6 million Social Security numbers and information for as many as 657,000 companies
By Karen Masullo, EVP Firestorm
As a resident of South Carolina, I am hacked to find – like so many of my fellow South Carolinians – I’ve been hacked.
A breach of the S.C. Department of Revenue database has compromised 3.6 million Social Security numbers and information for as many as 657,000 companies began Aug. 27.
The attack wasn’t discovered by the state until Oct. 10, and the hacker entered the Revenue Department system twice before extracting the sensitive data, officials have said.
Additionally, South Carolina’s massive data security breach is far worse than the Governor’s office originally acknowledged.
Initially, the administration claimed that no business tax information had been compromised during the breach, however officials recently revealed that data affecting more than 650,000 businesses was also part of the hack that stole the 3.6 million Social Security numbers and nearly 400,000 credit and debit card numbers.
Hackers infiltrated South Carolina’s system beginning on August 27 of this year – an unprecedented breach that state officials did not detect. It wasn’t until October 10 that federal law enforcement officials alerted the state that its data had been compromised – and it was another sixteen days until the public was notified.
Since the hack, the administration has claimed that “nothing could have been done” to stop it. The administration does however acknowledged that there were holes in the state’s security, since filled.
While Gov. Nikki Haley has repeatedly said nothing could have been done to prevent a hacker from stealing Social Security numbers and credit card information from the S.C. Department of Revenue database, the Revenue Department had not been using a layer of cyber security offered by the state, according to information provided Thursday to The Post and Courier by the S.C. Budget and Control Board.
According to the Budget and Control Board, the Revenue Department was using the state monitoring for certain work stations at the department’s Gervais Street location. But the Division of State Information Technology was not asked to monitor the systems where the breached data was housed, according to the Budget and Control Board.
Credit-monitoring services via Experian have been made available to taxpayers after the massive security breach, however this service will not prevent account fraud, nor will it alert victims to all types of identity theft. The service will help victims discover more quickly when new credit accounts are fraudulently opened in their name.
Experian was contracted earlier this year by the State Department of Health and Human Services after a project manager was accused of stealing information from 238,000 Medicaid patients. The state paid about $1 million for the roughly 30,000 people who signed up for a year’s worth of the Experian service after that security breach.
This incident is yet another reminder that all organizations must lock down sensitive data by segmenting their networks, using better access controls, and regularly performing vulnerability assessments. And PLEASE, create complex user passwordss and do not allow employees to change those passwords. It has been suggested that the breach occured through a compromised employee ID.
- If you were a victim of the SC breach, anyone who has filed a South Carolina tax return since 1998 should take the following steps: – Call 1-866-578-5422 to enroll in a consumer protection service. (The call center is open 9:00 AM – 9:00 PM EST on Monday through Friday and 11:00 AM – 8:00 PM EST on Saturday and Sunday.)
- For any South Carolina taxpayer who wishes to bypass the telephone option, there currently is an online service available at http://www.protectmyid.com/scdor. Enter the code SCDOR123 when prompted. South Carolina taxpayers have until the end of January, 2013 to sign up.
- South Carolina’s governor also announced that, starting Friday, Dun & Bradstreet Credibility Corp will offer South Carolina businesses that have filed a tax return since 1998 a CreditAlert product that will alert customers to changes taking place in their business credit file. Even something as simple as a change to a business address or a company officer change would set off an alert to the business owner. The cost will be waived for business filing tax returns since 1998. Business owners can visit http://www.dandb.com/sc/ beginning Friday or they can call customer service toll free at this dedicated phone number 1-800-279-9881.