COLUMBIA — A hacker who gained access to South Carolinians’ Social Security numbers and credit card information also uncovered data about companies, a state official revealed Tuesday.
The hacker broke into the Revenue Department’s database using specific identification information that few people in the state have.
Those revelations came during an S.C. Senate Finance Committee meeting to answer questions surrounding the cyber-attack that could affect millions of South Carolina residents who have filed taxes here since 1998.
Previously, the state had indicated that it was not aware of any business information that had been compromised in the breach announced Friday.
Revenue Department Director James Etter told the Finance Committee that some companies’ state identification numbers also were stored in the database that contained 3.6 million unencrypted Social Security numbers and 387,000 credit or debit card numbers.
Etter said he did not know how many businesses had information in the database, but said the companies’ state ID numbers will be changed as a result of the breach.
Etter also disclosed that the hacker used identification information to get into the Revenue Department system. About 250 people have such information to access the database, he said.
The new disclosures from Etter came near the end of a two-hour afternoon hearing in which several senators from both parties expressed strong dissatisfaction with his responses.
“I have not heard direct answers to many of the questions I’ve asked,” said Finance Committee Chairman Hugh Leatherman, R-Florence.
Sen. Kevin Bryant, R-Anderson, and Majority Leader Harvey Peeler, R-Gaffney, pressed Etter for information on what companies in their districts should do.
“I can’t tell my business owners to just cross their fingers,” Bryant said.
The state was “working through” data Tuesday evening, said Rob Godfrey, a spokesman for Gov. Nikki Haley. Godfrey said business owners “will absolutely be protected,” and that the state would have additional details today.
Several senators questioned why the state is requiring those affected by the breach to contact protection service Experian.
Senators suggested that the state should just provide Experian the ability to go ahead and protect taxpayers.
“We’re putting an obligation on people because of our failure,” said Sen. Phil Leventis, D-Sumter.
Thad Westbrook, an attorney from the Nelson Mullins law firm retained by the state in the hacking crisis, told senators there are legal issues with the state giving Experian consent, rather than individual taxpayers.
The hearing followed a morning press conference from Haley and other state officials in which the governor said Experian has agreed to cap the state’s costs at $12 million for a year’s worth of credit monitoring for taxpayers affected by the breach.
Haley said taxpayers will receive lifetime free credit-fraud resolution in addition to the year of monitoring.
Bryant questioned why the state is paying Experian at all when the company landed millions of potential new clients in South Carolina after the year of free monitoring is up.
In addition to the contract with Experian, the state has spent $125,000 on help from consulting company Mandiant to address data safety measures.
The cost of the legal assistance from Nelson Mullins was not available Tuesday.
Officials have said it could be weeks before authorities learn exactly what information was swiped from the database during a series of cyber-attacks that date to Aug. 27.
State Law Enforcement Division Chief Mark Keel declined to go into details on the investigation Tuesday, citing its ongoing nature. The Secret Service is leading that investigation.
The man who supervised the Revenue Department’s computer system resigned less than three weeks before officials discovered the massive hacking breach, but agency officials said the two events are unrelated.
Mike Garon, a senior administrator and chief information officer for the agency, resigned from his position Sept. 21, according to department spokeswoman Samantha Cheek. The hacking breach was discovered Oct. 10, officials have said.
Cheek refused to provide specifics as to why Garon resigned, but said “his resignation and the recent cyber-attack on DOR are not relevant to one another.”
“Mike Garon’s resignation is a personnel matter and not one that we are going to comment on,” she said.
Garon could not be reached for comment.
Cheek would not answer questions about the department’s computer system, including who is in charge of its security, how much it cost and how old it is. She did note that there had been no previous security breaches.
“As the investigation is still ongoing, it would be premature for DOR to comment on these specifics at this time,” Cheek said.