Residents fret -- and fume -- over hacking attack on taxpayer data
A bombshell hit the state Friday:
ENROLL IN FREE CREDIT MONITORING AND IDENTITY PROTECTION: The state is paying for taxpayers to receive identity protection services from Experian for one year. South Carolinians can enroll either online or by phone. To register by phone, call 1-866-578-5422. The hotline is open from 11 a.m. to 8 p.m. on weekends and 9 a.m. to 9 p.m. on weekdays. To register online, go to protectmyid.com/scdor and use the code “SCDOR123.” At some point, that generic code may not work, and residents will have to call the hotline number.
PLACE A SECURITY FREEZE ON CREDIT RECORDS, OR GET ADVICE: Call the S.C. Department of Consumer Affairs at 1-800-922-1594 weekdays during business hours to get advice or to ask that your credit records be frozen at no charge. Or go to http://bit.ly/TL6iD6 to freeze your records yourself.
REGULARLY CHECK YOUR CREDIT REPORT: Get free credit reports from the three largest credit-rating organizations by going to annualcreditreport.com.
PLACE A FRAUD ALERT ON YOUR CREDIT FILE: Residents can request “fraud alerts” to let potential creditors know they may be a victim of identity theft. Call either Equifax at 1-877-576-5734, Experian at 1-888-397-3742 or TransUnion at 1-800-680-7289.
3.6 million Social Security numbers compromised.
387,000 credit and debit card numbers exposed.
South Carolina taxpayers — and the information provided to state revenue officials since 1998 — were under cyber-attack.
A day later, frustrations mounted as residents found jammed phone lines and an overloaded website as they raced to protect themselves.
Today, Post and Courier reporters Brendan Kearney and Diette Courrégé Casey shed more light on the unprecedented security breach.
As they dug for answers to the complicated situation, three big questions arose:
How does this breach affect you?
How did this attack happen?
How does this affect my future?
Does it matter whether I filed my taxes electronically or by mail?
No. All tax records since 1998 were affected, regardless of how residents filed them.
Do the hackers have all of my tax information that I’ve ever submitted to the state?
Officials don’t yet know what was taken from the tax record file. They do know the file that was accessed was the one containing the tax filing information for 3.6 million residents, and they should be able to find out what specific files were accessed, said James Etter, director of the state Department of Revenue.
“If it was the full tax returns, then that would be a gold mine for hackers,” he said, noting that could reveal taxpayers’ addresses and where they bank and where they made charitable donations,” said John LaCour, founder and president of Charleston-based cybersecurity firm PhishLabs.
Should I try to sign up for Experian as soon as possible?
As the governor said, every South Carolinian should call the Experian hotline number or go online and avail themselves of the free protections the state is offering, and they should do it sooner rather than later, said Rob Godfrey, Gov. Nikki Haley’s spokesman.
Experian’s phone line has been busy and its website has been down. What’s wrong?
The company has a 300-person call center trying to handle thousands of concerned South Carolina residents’ phone calls. Greg Young, public relations director for Experian, said he’s unaware that the site has been down, and it hasn’t had trouble accepting the South Carolina code. On how many South Carolina residents have signed up for the service thus far, Young said Saturday “we are still determining that number.”
Why is everyone being given the same code — SCDOR123 — to sign up for the Experian service online?
Etter said it’s a temporary code. The state didn’t turn over its files to Experian until Friday, so the company didn’t have time to assign a unique identifier to each resident. In the meantime, the state wanted to give residents an immediate avenue to protect themselves, Etter said.
Anyone who registers now would not have to call back for an individual code; their registration is complete.
Why did the state wait until Friday afternoon to let the public know about this?
That decision was made entirely by the State Law Enforcement Division and the U.S. Secret Service with the governor’s consent. Mark Keel, chief of SLED, said law enforcement officials asked to delay the public release until their investigation reached certain benchmarks, which he could not describe publicly. As soon as they reached those, they alerted the public. It was happenstance that that occurred on a Friday; he said he would’ve loved to have the release earlier in the week. He knew it wasn’t an ideal release time, but the investigation dictated that decision and their goal was to do what was necessary to protect the state’s citizens, he said.
Was it right for the state to wait to let the public know about what happened?
LaCour said that may well have been appropriate, and not enough information has been released to judge. If investigators were able to determine the hackers were returning periodically, it would make sense to wait and see if more clues could be gathered from their left-behind tools or traces.
If not, “then probably it’d be best to err on the side of caution and plug any holes immediately and warn people about it,” LaCour said.
Does the public release of this information mean the investigation is finished or going nowhere?
No, Keel said. “This is an ongoing investigation, and we’re not anywhere near the end of it, and we will continue until we prosecute the person who is responsible.”
LaCour, who has tracked scammers and criminals overseas and worked with federal law enforcement, said there’s a “relatively low” likelihood the perpetrator will ever be caught.
“You have to identify the person, you’ve got to have proof that they did this and then there has to be the appropriate legal structure in place to get them back to the United States or convince their home country to prosecute them. We don’t have mutual legal assistance treaties for cybercrime with every country in the world.”
Who likely perpetrated the hack?
John LaCour, the founder and president of Charleston-based cybersecurity firm PhishLabs, said his “best guess is that it was probably criminals in Eastern Europe, but it’s really just impossible to know.” Since hackers typically bounce between connections and servers, “unless the Secret Service has been able to trace back through multiple connections to determine that it was someone overseas, it’s even possible that it’s someone in the U.S. who’s bouncing their connection to somewhere overseas.”
Is a weak computer system or human error to blame here?
The state isn’t saying, but LaCour said it could be either. “Most likely either IT staff didn’t follow ... security procedures, or there were software vulnerabilities in an application connected to the Internet, or a combination of the two. My guess, and it’s just a guess, is it may have been a procedural issue based on their saying they’re going to invest in security training.”
Why weren’t residents’ Social Security numbers encrypted (protected by a code, the key to which is known only to authorized users)? And why were 16,000 credit card files not encrypted?
Encrypting Social Security numbers hasn’t been an industry standard, said James Etter, the director of the state Department of Revenue. It’s not a big burden to encrypt those; “it’s just a matter of someone paying attention to that,” he said.
It has been standard, however, to encrypt all credit card information since 2003. The 16,000 records that were exposed were before 2003, and Etter said that credit card information should be expired.
But, LaCour noted, even if the cards are expired, the numbers might still be in use, just with a new expiration date that a hacker could eventually figure out.
How did the Secret Service know the state’s system had been breached?
Neither Mark Keel, chief of the State Law Enforcement Division, nor Etter knew the answer. Etter said he knew the area where the breach occurred but not how they detected it.
How will my Social Security number and credit card information be protected in the future?
On Friday, the state re-encrypted all of its credit card records on file, and they plan to encrypt Social Security numbers and credit card information for the upcoming tax period. The state is trying to figure out how to fully encrypt residents’ entire tax files going forward, said James Etter, the director of the state Department of Revenue.
The state also has installed additional monitoring systems and software that will alert it to any further intrusion. The state hasn’t had an intrusion since it began its additional monitoring in September.
What might the hackers (or others) do with any stolen information?
John LaCour, the founder and president of Charleston-based cybersecurity firm PhishLabs, said the hackers would most likely fence the numbers in batches on the cybercriminal underground market. That way, the hacker gets paid quickly and avoids the risk associated with printing up cards themselves and going to stores, for example. (The distribution of the information would also make it difficult for law enforcement to contain the spread of sensitive data.) Whoever eventually attempts illicit use of the numbers could apply for credit cards, try to take out loans or attempt to gain access to bank accounts. “You could submit a fake income tax return as that person and have the refund wired back to you,” LaCour said.
What about banks or merchants who lose money based on fraudulent use of their consumers’ information?
At least initially, they stand to absorb the costs, LaCour said. “Ultimately they’re passed onto consumers in interest rates, but the banks and potentially merchants are likely to take the brunt of the impact of the misuse of any compromised credit cards,” he said. Josh Dunn, a spokesman for Wells Fargo, said the bank’s customers are protected from fraudulent activity involving their accounts as long as they report it in a timely manner.
How much will the state pay Experian to monitor residents credit?
The state signed a contract with Experian on Friday that set a per-person amount, but neither the governor’s office, Etter nor Experian could provide that figure or contract on Saturday. Etter said the state’s attorneys had the contract, and they could not be reached. The total dollar figure charge will depend on how many residents sign up for the service, and that usually ranges between 15 to 30 percent of the affected population. Etter said it’s less than the public would pay, which, according to Experian’s website, is $15.95 per month.
What if people in other states use South Carolina’s code to sign up for Experian’s service?
South Carolina will be charged for that protection, and it’s a risk the state is taking to protect its taxpayers, Etter said. Once the state has unique identifiers for residents, that situation no longer will be possible. But until then, it can be. The state has an informal agreement with Experian to amend its contract and identify those who might have abused the system and signed up when they weren’t entitled to the service, he said.
Experian provides this service for a year for free. What happens at the end of the year?
Experian will offer re-enrollment to each individual for a fee at the end of the year.
Could those who accessed state residents’ Social Security numbers wait years before using them? If so, wouldn’t it make sense to have Experian for longer than one year?
Greg Young, public relations for Experian, did not provide a response to this question.