The S.C. Department of Revenue has mailed letters to more than 600,000 state residents and 760,000 non-residents informing them that their data was, in fact, stolen in last year’s hack, the agency announced Thursday.
Since the letters are going out in order of postal ZIP code, from lowest to highest, Charleston-area victims of the cybersecurity breach don’t seem to have received their notices yet.
The department is aiming to send all letters by the end of the month, an agency spokeswoman said, and when they come, their core message is bold-faced and underlined.
“We are writing you today, first to confirm that — as an electronic tax filer — your tax information was compromised and second, to encourage you to take immediate steps to protect yourself against identity theft,” the second sentence of the one-page form letter states.
If you do not receive such a letter, it is likely that your data was not hacked.
The breach, announced in October, resulted in the theft of records of 3.8 million individual taxpayers, 1.9 million dependents, 699,900 businesses, 3.3 million bank accounts and 5,000 now-expired credit card numbers.
It is the largest known breach of a state agency in U.S. history.
Whereas all state taxpayers going back to 1998 have been operating under the assumption that their information is at risk, the letters identify whose data has actually been compromised.
According to DOR spokeswoman Samantha Cheek, the agency began sending the out-of-state letters Dec. 10. Letters to in-state taxpayers started going out on Christmas Eve, according to Gov. Nikki Haley’s spokesman Rob Godfrey.
The total cost of the mailings will be $1.3 million, Cheek estimated.
Meanwhile, the state’s banks have been working over the past month to figure out which of the 3.3 million hacked accounts are still active and to whom they belong. A Columbia judge set up the protocol by which the DOR could transfer that account information to the banks.
Fred L. Green III, president and CEO of the S.C. Bankers Association, said Thursday that between 25 and 40 percent of the hacked accounts are inactive, and that banks are now able to better help the owners of the remaining active, compromised accounts.
“What it really does is, it eliminates a tremendous amount of uncertainty between the customer and the bank and that creates, I want to say, peace of mind,” Green said.
In the case of the compromised accounts, Green said banks are “looking at those accounts with a tighter screen for unauthorized transactions,” and some are sending out letters of their own.
Mount Pleasant resident John Taylor, who does information technology security work in Charleston, received one of those letters this week from the Bank of South Carolina. It confirmed that his account had been compromised.
“The Bank has taken extra precautions and placed an alert to help protect your affected account,” the letter, dated Dec. 31, stated.
The note also put him on heightened alert, said Taylor, 34, and made him “pretty angry at the fact that my information was breached in the first place.” He called Haley’s initial claim that it couldn’t have been prevented a “crock.”
“They just literally had no safeguards in place,” he said.
Taylor, who has not yet received a letter from the state, has received monthly updates from Experian, which is monitoring his credit through its ProtectMyID service. They say he has not been defrauded.
More than 1 million people had signed up for the state-sponsored Experian ProtectMyID program by Thursday, according to Cheek.
Reach Brendan Kearney at 937-5906 and follow him on Twitter at @kearney_brendan.