The S.C. Department of Revenue has received judicial approval to release the 3.3 million bank account numbers compromised in the recent hack to banks and credit unions so they can determine which taxpayers' accounts are at risk.
Richland County Judge James R. Barber III signed the order this week in Columbia approving the data transfer and dictating how it should be done, according to the court documents and Fred L. Green III, president and CEO of the S.C. Bankers Association, who attended the proceeding.
The Revenue Department had to go to court because the agency is not permitted under state law to release the information to the banks without a “proper judicial order.” The banks now can request their account numbers, and Barber ordered the agency to provide them “as expeditiously as possible.”
Green presumed that would mean “in the next several weeks,” he said Thursday.
Green called the arrangement “a great way” to proceed.
Gov. Nikki Haley's spokesman, Rob Godfrey, wrote in an email Thursday, “As we have said throughout this process, we're going to do everything we can to get South Carolina through this situation — and that's why we got together with banks and credit unions to ask the court to allow us to work together and protect these bank accounts.”
Once the banks have the numbers, they can then determine which of the account numbers are still active and therefore which customers are at risk. Under Wednesday's order, they are obligated to then tell the Revenue Department which accounts remain open and which are closed.
Green said it is up to the banks how to communicate with their customers, but that they will be able to say two things.
“One, that their account was not breached and therefore that they don't need to be concerned about it,” he said, “Or if it was compromised, to let them know that there will be additional fraud screening to better recognize and detect earlier any potential fraudulent activity on that account.”
Barber made clear in his four-page order that the banks and credit unions are not to pass on any of the administrative costs related to their reviews to their customers.
“No depository institution making a request for this information shall assess any new and additional charge to any account holder associated with the exposure of bank information,” he wrote.
This is the state's latest strategy to address the massive hack Haley announced on Oct. 26.
According to Mandiant, a cyber security company hired by the state to investigate the incident, as many as 3.8 million individual taxpayers, 1.9 million dependents, 699,900 businesses, 3.3 million bank accounts and 5,000 expired credit card accounts were compromised.
Mandiant has reported that the breach stemmed from when someone clicked on a malicious “phishing” email sent to multiple Revenue Department employees in August. Haley has said the two central faults in the attack were that the Revenue Department didn't have dual verification to get into its system, and that Social Security numbers were unencrypted.
Experts have warned that the swiped data could be used to steal identities, make fraudulent purchases and raid bank accounts. South Carolinians have therefore been anxious to hear if they are definitively at risk or whether they escaped unscathed.
At a Nov. 20 press conference, Haley said “everybody will be notified by letter that they were part of that breach.” She said those who have signed up for the Experian service will receive an email. She offered no timeline.
Wednesday's consent agreement is separate from that promise, but it would seem to help with the task. Haley said Thursday that South Carolinians will start receiving notification letters next week if their personal financial data was stolen, according to The State newspaper.
As Haley explained at the press conference, only people who filed their taxes electronically are at risk. On Thursday, Green clarified that further, saying only those who also requested an electronic refund (through direct deposit to their bank accounts) are at risk.
He noted that of the 3.3 million bank account numbers, some may be expired and some may represent accounts from which the same person has paid taxes in different years. The hacked data is thought to date back as far as 1998.
“So there will be a sizable percentage of accounts that had been changed, moved, etc. that are no longer in use,” Green said. “So that's the whole purpose, to identify, of that total number, how many are in use today.”
In a case that began and ended Wednesday in the Court of Common Pleas for Richland County, the Revenue Department summoned the Bankers Association and the South Carolina Credit Union League and asked for an exemption from the state law that prohibits release of any tax return information.
The banking organizations, representing their membership, offered no objection. Green said Barber heard from the lawyers for both sides and that the proceeding took “over an hour.”
In his order, Barber exempted the Revenue Department from the usual restriction and specified verification procedures to precede and accompany the transmissions. Once those procedures have been followed, the agency “shall provide the requested information as expeditiously as possible” and “via a secure method,” he wrote.
Reach Brendan Kearney at 937-5906 and follow him on Twitter at @kearney_ brendan.