Expert: Data breach could cost taxpayers, businesses hundreds of millions

COLUMBIA — International hackers could cost taxpayers and S.C. businesses a combined $360 million if the thieves are able to infiltrate the bank accounts of just 1 percent of the victims.

About 3.8 million people and up to 657,000 businesses had sensitive information in a breached S.C. Department of Revenue database.

The criminals got the “holy grail” of illicit information by obtaining all data contained in tax returns, said Chris Swecker, who rose to the No. 3 position in the FBI and is a former head of security at Bank of America.

Swecker based his estimate on the economic impact of the state breach on FBI data.

Swecker, now a consultant, was in Columbia Tuesday to take part in a fraud-detection and prevention symposium organized by S.C. Treasurer Curtis Loftis.

Loftis organized the conference before the massive breach was announced by state officials late last month.

The Secret Service informed the state of the breach on Oct. 10, 16 days before officials informed the public.

Swecker said the Secret Service likely discovered the cyberattack after seeing the taxpayer data for sale in the underworld market.

Gov. Nikki Haley said Tuesday that the Secret Service has told the state how it uncovered the attack, but said she has not been authorized by law enforcement to share that information.

Swecker said large companies have been hit in much the same way he thinks South Carolina likely was, through a phishing email that tricked an employee into allowing a hacker into the system.

He said the vast majority of hacking cases involve phishing.

The Revenue Department has said employee credentials were used to access the breached database.

Swecker and Loftis said the state should revisit how it manages information technology security following the cyberattack.