The cyberattack timeline
It's been just nine days since the public was informed that hackers stole taxpayer's personal and financial information from state computers, but the cyberattacks began earlier.
ENROLL IN FREE CREDIT MONITORING AND IDENTITY PROTECTION: The state is paying for taxpayers to receive identity-protection services from Experian for one year. South Carolinians can enroll either online or by phone. To register by phone, call 1-866-578-5422. The hotline is open from 11 a.m. to 8 p.m. on weekends and 9 a.m. to 9 p.m. on weekdays. To register online, go to protectmyid.com/scdor and use the code “SCDOR123.” At some point, that generic code may not work, and residents will have to call the hotline number.
PLACE A FRAUD ALERT or SECURITY FREEZE ON your credit RECORDS: Residents can request “fraud alerts” to let potential creditors know they may be a victim of identity theft or request a “security freeze” to restrict potential creditors' access to your credit records. To place a fraud alert, call Equifax at 1-800-685-1111, Experian at 1-888-397-3742 or TransUnion at 1-800-680-7289. To place a security freeze, you must call each agency individually. Under South Carolina law, the consumer reporting agencies cannot charge consumers fees for placing, temporarily lifting or removing a security freeze.
REGULARLY CHECK YOUR CREDIT REPORT: Get free credit reports from the three largest credit-rating organizations by going to annualcreditreport.com.
FOR BUSINESSES: Both Dun & Bradstreet Credibility Corp. and Experian are offering free credit-monitoring services for all South Carolina businesses that have filed state taxes since 1998. Dun & Bradstreet is offering lifetime credit-monitoring via its CreditAlert product. Visit DandB.com/SC or call customer service toll-free at 800-279-9881. Experian is offering one year of its Business Credit Advantage product at smartbusinessreports.com/SouthCarolina. The deadline to sign up for the Experian service is Dec. 1. There is no deadline to sign up for the Dun & Bradstreet service.
It was early September when hackers probed the state Department of Revenue computers, and mid-September when data from millions of taxpayers was stolen.
Here's what happened next:
Oct. 10: The DOR first becomes aware of the incident after being notified by the state's Division of Information Technology of a possible breach. The department consults with law enforcement, contacts the Governor's Office and contacts cyber-security firm Mandiant to consult.
Oct. 11: Governor's Office is briefed, and a response is planned, including public notification and an internal investigation.
Oct. 12: Contract with Mandiant is signed.
Oct. 15: Mandiant and DOR begin installing surveillance and monitoring systems.
Oct. 16: Mandiant confirms that hackers breached DOR's system twice in mid-September, and likely obtained data.
Oct. 19: Mandiant sends four-member team to begin on-site investigation. DOR contacts law firm Nelson Mullens regarding “assistance with breach management.”
Oct. 20: The “hole” in DOR's system is closed and the system is secured, they believe.
Oct. 21-25: DOR learns that about 3.6 million Social Security numbers and 387,000 credit and debit card numbers were taken by hackers. State prepares plan to offer taxpayers a free year of credit monitoring.
Oct. 26: The security breach, affecting anyone who filed an SC tax return since 1998, is revealed to the public. The state signs a contract with Experian and announces a toll-free number information number, which is quickly overwhelmed by callers.
Oct. 29: Gov. Nikki Haley says she does not believe any state employees should be disciplined over the breach because she believes no one could have taken steps to avoid it.
Oct. 30: Privacy and computer security experts tell The Post and Courier that South Carolina's data breach was largest a state has seen, “the mother of all data breaches.” State officials say the resignation of a man who supervised DOR's computer system, less than three weeks before officials discovered the data breach, was unrelated to the hacking incident. Haley blames the media for tying up phone lines.
Oct. 31: State leaders announce credit monitoring also will be offered for 657,000 businesses that may have had financial information exposed in the hacking incident. Spartanburg attorney John Hawkins files a class action suit against Haley and the DOR.
Nov. 1: It's revealed that DOR was not using free network monitoring services available from the Division of State Information Technology.
Nov. 3: The chairman of University of South Carolina's Department of Computer Science, Mike Huhns, said the data breach indicates there was slipshod security in place. He said USC's computer security Center for Information Technology could help, if state agencies were to ask.