State officials can't track hacked victims
More than a month after a hacker made off with millions of South Carolina tax records, no one seems sure how much of that highly sensitive information has actually been put to use by criminals.
ENROLL IN FREE CREDIT MONITORING AND IDENTITY PROTECTION: The state is paying for taxpayers to receive identity-protection services from Experian for one year. South Carolinians can enroll either online or by phone. To register by phone, call 1-866-578-5422. The hotline is open from 11 a.m. to 8 p.m. on weekends and 9 a.m. to 9 p.m. on weekdays. To register online, go to protectmyid.com/scdor and use the code “SCDOR123.” At some point, that generic code may not work, and residents will have to call the hotline number.
PLACE A FRAUD ALERT or SECURITY FREEZE ON your credit RECORDS: Residents can request “fraud alerts” to let potential creditors know they may be a victim of identity theft or request a “security freeze” to restrict potential creditors' access to your credit records. To place a fraud alert, call Equifax at 1-800-685-1111, Experian at 1-888-397-3742 or TransUnion at 1-800-680-7289. To place a security freeze, you must contact each agency individually. Under South Carolina law, the consumer-reporting agencies cannot charge consumers fees for placing, temporarily lifting or removing a security freeze.
REGULARLY CHECK YOUR CREDIT REPORT: Get free credit reports from the three largest credit-rating organizations by going to annualcreditreport.com.
FOR BUSINESSES: Both Dun & Bradstreet Credibility Corp. and Experian are offering free credit-monitoring services for all South Carolina businesses that have filed state taxes since 1998. Dun & Bradstreet is offering lifetime credit-monitoring via its CreditAlert product. Visit DandB.com/SC or call customer service toll-free at 800-279-9881. Experian is offering one year of its Business Credit Advantage product at smartbusinessreports.com/SouthCarolina. The deadline to sign up for the Experian service is Jan. 31. There is no deadline to sign up for the Dun & Bradstreet service.
State officials say they don't know how many people have been victimized to date, and critics contend that's because there is no centralized system for tracking crimes related to the breach.
Various state agencies are fielding calls from anxious taxpayers and potential victims, Experian is monitoring credit reports, and individual banks and police departments are said to be taking theft complaints at the local level. But there appears to be no coordinated effort to harness all that information and chart the extent of the damage.
State Rep. Leon Stavrinakis, D-Charleston, said lawmakers have received no numbers on crimes stemming from the breach, and that troubles him. The state needs to have some idea how many victims are out there, if only to gauge its potential liability from lawsuits. “Otherwise, you are just taking the word of the lawyers suing you as to what the damages are,” he said.
“I think you have to be able to quantify the fallout from these things just like you have to be able to quantify the mistakes and how to correct them,” Stavrinakis said.
One lawsuit already has been filed against the state Department of Revenue over the hacking scandal and more litigation is expected.
The attorney behind the current lawsuit, former Republican state Sen. John Hawkins, said his office has received several calls from possible victims of the hack, but he has no idea how many more might be out there. He said Gov. Nikki Haley should have signed an executive order designating one agency to take the lead on taking reports from victims and laying out a process for that to occur.
“There is a huge vacuum right now,” he said. “How are we possibly going to apprehend the hackers if we don't even know who the victims are?”
Rob Godfrey, Haley's press secretary, said the governor has worked with law enforcement, administration officials, business leaders and legislators to ensure every South Carolinian is protected and safeguarded against future attacks. “Critics will criticize, and that's OK — but she's not going to stop driving through this.”
In the wake of the breach, Haley quickly moved to secure credit monitoring for affected taxpayers and businesses, and the state hired cyber-security experts to pinpoint how the breach occurred, plug holes and strengthen South Carolina's computer defenses. The path for dealing with the criminal fallout, however, has been less clear.
After some initial confusion, possible fraud victims of the breach were told to report those problems to the State Law Enforcement Division. But a SLED spokesman said this week the agency has been referring victims to local police and that the Revenue Department might be tracking their overall numbers. A Revenue spokeswoman said her agency is maintaining a list of people who call it directly but she couldn't provide any hard numbers Thursday.
In all, the breach affected the records of 3.8 million individual taxpayers, 1.9 million dependents, 699,900 businesses, 3.3 million bank accounts and 5,000 credit card accounts that are now expired.
Experts have warned that the information could be used to steal identities, make fraudulent purchases, raid bank accounts and more. But to what extent has that occurred? No one seems certain.
Take the case of D'Shonda Edmondson, a Charleston mother of two who discovered her bank card was used Oct. 31 to pay a $700 tab at a French nightclub some 4,000 miles away. She suspects the charge is related to the breach, but she has no way of knowing for sure.
“My bank didn't know, and I didn't know who else to call,” she said.
SLED has received about 50 calls from taxpayers, most of which came from people wondering how to protect themselves, spokesman Thom Berry said. SLED has been referring possible victims to their local law enforcement agency if they suspect they have been defrauded, Berry said. SLED also suggests victims of hacking-related identity theft call the Federal Trade Commission, which operates a counseling line at 1-877-ID-THEFT.
Berry said SLED received a flurry of calls after state officials revealed the breach last month, “but it has trickled off since then to just an occasional call.”
Samantha Cheek, spokeswoman for the Revenue Department, said her agency had “received many calls about the breach and a few concerned calls from individuals who believe they are victims.” She said the department is doing its best to assist those who call and is “maintaining a list to continue to assist these individuals in any way that our agency can.”
Reach Glenn Smith at 937-5556 or Twitter.com/glennsmith5.