The personal information of millions of South Carolinians is at risk after an international hacker got into the state Department of Revenue's computer and plundered credit card, debit card and Social Security numbers.
And some are wondering why the state waited 16 days to let the public know their financial and personal data could be in the hands of thieves.
Gov. Nikki Haley called the breach unprecedented in South Carolina. U.S. Secret Service agent Mike Williams said the cyber-attack was one of the largest his agency has dealt with.
About 3.6 million Social Security numbers and 387,000 credit and debit card numbers were exposed in the cyber-attack, according to S.C. Department of Revenue officials. Most of the credit card numbers were encrypted, some 16,000 were not. The Social Security numbers also lacked such protections, officials said during a news conference Friday in Columbia.
Basically, anyone who has filed a South Carolina tax return since 1998 is at risk.
State officials discovered the breach Oct. 10, but did not go public until Friday. Haley and State Law Enforcement Division Chief Mark Keel defended the delay, saying investigators needed time to gather evidence and try to catch the hacker. So far, no one has been implicated in the cyber-attack.
State Rep. Wendell Gilliard, D-Charleston, called the delay ridiculous and said he would call for an investigation into the Haley administration's handling of the episode.
“The state was trying to dodge the fact that they screwed up,” he said.
State Rep. Leon Stavrinakis, another Charleston Democrat, called the state's response pathetic.
“You don't leave victims exposed to further criminalization so you can catch the perpetrator,” he said.
Haley urged anyone concerned that their information was accessed to contact Experian's ProtectMyID, a credit protection company hired by the state and recommended by the Secret Service.
The taxpayer can immediately enroll in one year of identity protection service provided by Experian, courtesy of the state. Haley said she was unsure how much the credit protection service will cost the state.
“You don't go slim on this. You go strong on this,” Haley said. “This is not going to be inexpensive. But it's something I can confidently say that we did what we were supposed to do to take care of everyone in the state.”
Those trying to take advantage of the state's offer found that it wasn't easy to get answers or help. A website the state instructed people to visit required a special code to gain access, and the code could be obtained only through a mailing that hasn't gone out yet.
A toll-free phone number the state provided also led to more hassles than answers.
Marlena Brown, an account manager from Summerville, called immediately, even before the state leaders' news conference was over Friday afternoon.
She waited 37 minutes to speak to someone with Experian, only to find that they couldn't tell her if she was affected by the data breach. Experian told her an activation code would be mailed to her so she could log on to the company's website to learn more about her potential risk.
“It's a really long wait for no information,” she said.
Still, Brown was lucky to get through. Within the hour of the announcement by state leaders, the phone lines to the credit protection company were tied up. Several attempts by The Post and Courier to call the number provided by the state resulted in either a busy signal or a recording saying the customer care department was closed.
Gilliard said his office was flooded with calls from panic-stricken taxpayers unable to get through on the toll-free number.
Brown said she wasn't angry at the state about the breach. “My only frustration is they waited so long to let us know,” she said.
The S.C. Department of Revenue was informed by the state's Division of Information Technology about a potential security breach on Oct. 10.
SLED Chief Keel said officials didn't immediately notify the public because it would have hampered the investigation into finding who was responsible.
“It was important we had the time to work through the investigation so we could get evidence we would need in the future to have prosecution against them,” Keel said.
Haley also defended the delay and made it clear that she wants the culprit captured.
“I want this person slammed against the wall,” Haley said. “I want to be able to get this person to make sure they can't ever do this to anybody or any state again.”
But some people, such as Jason Parker of Charleston, believe the delay wasn't worth the risk.
“It seems protecting people's credit is more important,” he said.
State officials said they don't believe South Carolina was specifically targeted. When asked if this was a national security matter or more of an issue of stealing the information for financial use, Keel said he didn't know.
Haley said she knows where the attack originated but would not give specifics for fear of jeopardizing the investigation. She also wouldn't describe how the hacker gained access to the computer system, only that it was “creative in nature.”
The intrusion began as early as August and originated from a foreign IP address, Keel said. In mid-September, two other intrusions into the system occurred. That's when state officials believe the hacker obtained data for the first time.
On Oct. 20, the state secured the system and “plugged up the holes,” Haley said. No public funds were accessed or put at risk, state officials said.
This isn't the first time South Carolinians have fallen prey to cyber-thieves. In April, almost a quarter-million residents were put at risk of their identities being stolen after an information breach at the state Medicaid agency.
An employee working for the Medicaid program inappropriately transferred 228,435 beneficiaries' personal information to his personal email and at least one other party, according to the S.C. Department of Health and Human Services.
At the time, the agency's leader said better safeguards should have been in place to prevent the intrusion.
Since the breach, the state's Inspector General's Office has been evaluating the security of all of the state's 16 agencies. So far, nine reviews have been completed, according to Inspector General Patrick Maley.
Two to three of the agencies exceeded performance in security while a couple were struggling but were upgrading their standards, he said.
“That had been an internal breach that had been part of the problem,” Haley said. “This is totally different. This is an international attack that came from the outside.”
Still, some believe the state didn't seem to be taking it very seriously. Parker wanted to know why all the personal information was not encrypted.
“I don't understand how something like this can happen,” he said.
Haley vowed to further protect the state's residents. She issued an executive order directing all Cabinet agencies to immediately designate an information technology officer to cooperate with state Inspector's General. He will make recommendations to improve security policies and procedures.
A task force will be put together to see what we can be done immediately to look at their systems for any immediate weaknesses, Maley said.
According to the governor, the state also will improve and increase training of information security officers and all state government employees on security measures, including cyber security and records protection.
The fact that some of the information accessed by the hacker was unencrypted also will be evaluated, Maley said.
“South Carolina has come under attack but South Carolina is going to fight back in every way possible,” Haley said.
Charleston-based cyber security expert John LaCour said the state hasn't released enough information to know exactly what happened here, but he was disquieted by what he had heard so far.
“It's a bit surprising that the Department of Revenue was vulnerable and had this amount of data in one location in a system that was accessible to the Internet either directly or indirectly,” he said.
LaCour, founder and president of PhishLabs, is more concerned about the loose Social Security numbers than credit or debit card numbers — especially if they are accompanied by names and addresses.
“Generally consumers won't be responsible for losses on their credit card,” he said. “But the greater risk is the compromised Social Security numbers that could be used to apply for new credit card numbers, apply for loans, could be used by some companies to authenticate people who are accessing their services. I think that's the larger concern in my view.”
Brendan Kearney contributed to this report. Reach Natalie Caula at 937-5594 or Twitter.com/ncaula.