3.6 million S.C. taxpayers’ Social Security numbers hacked in cyber attack, S.C. officials say

About 3.6 million South Carolina taxpayers’ Social Security numbers and 387,000 credit and debit card numbers have been exposed in a cyber attack, state officials announced today.

COLUMBIA — About 3.6 million South Carolina taxpayers’ Social Security numbers and 387,000 credit and debit card numbers have been exposed in a cyber attack, state officials announced today.

Anyone who has filed a South Carolina tax return since 1998 is urged to call 1- 866-578-5422 to help determine if their information is affected. If so, the taxpayer can immediately enroll in one year of identity protection service provided by Experian, courtesy of the state.

Within an hour of the announcement, however, the phone lines to the credit protection company were already tied up with either a busy signal or a recording of an operator saying “All circuits are busy.”

A website set up by the state, http://protectmyid.com/scdor for affected taxpayers to enroll in the identity protection service requires an access code for activation, available by calling the number or by mail during the next few days.

The vast majority of the credit cards are protected by strong encryption deemed sufficient under the demanding credit card industry standards to protect the data and cardholders. Approximately 16,000 are unencrypted, the department of revenue announced.

“On October 10, the S.C. Division of Information Technology informed the S.C. Department of Revenue of a potential cyber attack involving the personal information of taxpayers,” Department of Revenue Director James Etter. “We worked with them throughout that day to determine what may have happened and what steps to take to address the situation. We also immediately began consultations with state and federal law enforcement agencies and briefed the governor’s office.”

State leaders called a press conference on Friday where Governor Nikki Haley called the attack unprecedented.

“South Carolina has come under attack but South Carolina is going to fight back in every way possible,” Haley said.

Upon the recommendation of law enforcement officials, DOR contracted Mandiant, one of the world’s top information security companies, to assist in the investigation, help secure the system, install new equipment and software and institute tighter controls on access, the department said in a press release.

According to the release: investigators on Oct. 16 uncovered two attempts to probe the system in early September, and later learned that a previous attempt was made in late August. In mid-September, two other intrusions occurred, and to the best of the department’s knowledge, the hacker obtained data for the first time. No other intrusions have been uncovered at this time. On October 20, the vulnerability in the system was closed and, to the best of the department’s knowledge, secured.

“The number of records breached requires an unprecedented, large-scale response by the Department of Revenue, the State of South Carolina and all our citizens,” Gov. Nikki Haley said. “We are taking immediate steps to protect the taxpayers of South Carolina, including providing one year of credit monitoring and identity protection to those affected.”

In addition to the Experian service, state officials urged residents to consider additional steps to protect their identity and financial information, including regularly reviewing credit reports, placing fraud alerts with the three credit bureaus and placing a security freeze on financial and credit information with the three bureaus.

If credit card information is compromised, the best protection is to have the bank reissue the card. Anyone who has used a credit card in a transaction with the Department of Revenue should check bank accounts regularly to see if any unauthorized charges have occurred. If so, the cardholder should contact the credit card issuer immediately by calling the toll-free number located on the back of the card or on a monthly statement, tell them what you have seen, and ask them to cancel and reissue the card. Consumers should also change any credit card web account passwords immediately when unauthorized charges are detected.

Haley said she wasn’t sure how much the credit protection service will cost the state.

“You don’t go slim on this. You go strong on this,” Haley said. “This is not going to be inexpensive. But it’s something I can confidently say that we did what we were supposed to do to take care of everyone in the state.”