COLUMBIA — Gov. Nikki Haley has repeatedly said nothing could have been done to prevent a hacker from stealing Social Security numbers and credit card information from the S.C. Department of Revenue database.
But for the systems that a hacker breached, the Revenue Department had not been using a layer of cyber security offered by the state, according to information provided Thursday to The Post and Courier by the S.C. Budget and Control Board.
ENROLL IN FREE CREDIT MONITORING AND IDENTITY PROTECTION: The state is paying for taxpayers to receive identity-protection services from Experian for one year. South Carolinians can enroll either online or by phone. To register by phone, call 1-866-578-5422. The hotline is open from 11 a.m. to 8 p.m. on weekends and 9 a.m. to 9 p.m. on weekdays. To register online, go to protectmyid.com/scdor and use the code “SCDOR123.” At some point, that generic code may not work, and residents will have to call the hotline number.PLACE A SECURITY FREEZE ON CREDIT RECORDS, OR GET ADVICE: Call the S.C. Department of Consumer Affairs at 1-800-922-1594 weekdays during business hours to get advice or to ask that your credit records be frozen at no charge. Or go to http://bit.ly/TL6iD6 for more information.REGULARLY CHECK YOUR CREDIT REPORT: Get free credit reports from the three largest credit-rating organizations by going to annualcreditreport.com.PLACE A FRAUD ALERT ON YOUR CREDIT FILE: Residents can request “fraud alerts” to let potential creditors know they may be a victim of identity theft. Call either Equifax at 1-800-685-1111, Experian at 1-888-397-3742 or TransUnion at 1-800-680-7289.FOR BUSINESSES: Starting at 8 a.m. Friday, Dun & Bradstreet Credibility Corp. will offer its CreditAlert credit-monitoring product for free to South Carolina businesses that have filed a tax return since 1998. Visit DandB.com/SC or call customer service toll free at 800-279-9881.
Democratic state Sen. Vincent Sheheen of Camden said having the state monitoring system in place on the breached systems might not have prevented the attack, but the additional protection could have helped.
“The answer is that there’s no 100 percent guarantee, but the purpose of the (monitoring) system is to detect breaches, and they have been very successful in detecting breaches in other agencies,” he said.
Sheheen, who lost to Haley in the 2010 governor’s race, said the fact that the Revenue Department began using the monitoring after the breach, and the fact that many agencies use the monitoring, shows its relevance. He said the department should have disclosed after announcing the breach that the state monitoring was not in place.
“It means I think we have to call into question what the Department of Revenue isn’t telling us,” he said. “I think we really have to look for some objective investigation into what actually occurred.”
Haley spokesman Rob Godfrey said in response, “Politics is politics and we’re certainly not interested in it right now.”
Many state agencies, school districts and local governments use the free network monitoring services from the Division of State Information Technology.
In the Lowcountry, Charleston and Berkeley counties and the school districts use the monitoring, along with the city of North Charleston and town of Mount Pleasant.
The breach that has compromised 3.6 million Social Security numbers and information for as many as 657,000 companies began Aug. 27.
The attack wasn’t discovered by the state until Oct. 10, according to state officials.
The hacker entered the Revenue Department system twice before extracting the sensitive data, officials have said.
According to the Budget and Control Board, the Revenue Department was using the state monitoring for certain work stations at the department’s Gervais Street location. But the Division of State Information Technology was not asked to monitor the systems where the breached data was housed, according to the Budget and Control Board.
Samantha Cheek, a spokeswoman for the Revenue Department, said the agency cannot comment on where the breached systems are located.
She said that at the time of the breach, the agency already was contracting with a national company, Trustwave, to conduct periodic reviews. Cheek said the Internal Revenue Service also was conducting audits of all Revenue Department computer systems and servers.
“As an agency we did not feel it was necessary to implement (the state’s) monitoring,” she said.
Cheek said the Division of State Information Technology began monitoring all Revenue Department servers after the agency was notified of the breach.
As an agency that processes credit card information, the Revenue Department had to use a national company, such as Trustwave, that was approved by credit card companies, Haley’s office said.
Haley’s office said some of the Revenue Department’s work stations had the state monitoring in place at the time of the breach because of the presence of computer viruses unrelated to the breach.