A South Carolina state agency's website has been hacked and millions of social security numbers and credit and debit card numbers belonging to approximately 77 percent of South Carolina residents have been compromised.
Governor Nikki Haley, SLED chief Mark Keel, and others gathered at SLED headquarter Friday afternoon to talk about the breach and how residents can take immediate steps to protect themselves against identity-theft.
"This is not a good day for South Carolina," said Governor Nikki Haley. "South Carolina has come under attack by an international hacker."
State officials revealed Friday that someone in a foreign country gained access to the South Carolina Department of Revenue's website and a server was breached for the first time in late August.
387,000 credit and debit card numbers and 3.6 million social security numbers, all unencrypted, have been exposed.
Of the credit cards, the vast majority are protected by strong encryption deemed sufficient under the demanding credit card industry standards to protect the data and cardholders, DOR officials said. However, approximately 16,000 were unencrypted and exposed.
Officials found out about the breach on October 10. On October 16, investigators uncovered two attempts to probe the system in early September, and later learned that a previous attempt was made on August 27.
In mid-September, two other intrusions occurred, and to the best of the department's knowledge, the hacker obtained data for the first time. No other intrusions have been uncovered.
On October 20, the vulnerability in the system was closed and, to the best of the department's knowledge, secured.
"On October 10, the S.C. Division of Information Technology informed the S.C. Department of Revenue of a potential cyber attack involving the personal information of taxpayers," said DOR Director James Etter. "We worked with them throughout that day to determine what may have happened and what steps to take to address the situation. We also immediately began consultations with state and federal law enforcement agencies and briefed the governor's office."
"When this breach occurred and it was discovered," said Keel. "it took a while for experts to determine how much data had actually been compromised.
"It was important that we had the time to work through our investigation so that we would have enough evidence to prosecute this person," said Keel.
Haley said she knows where the attack came from, but would not reveal the location of the hacker so the investigation would not be put in jeopardy. "I want this person slammed against the wall," said Haley. "I want that man just brutalized."
Keel said no state funds were touched during this data breach.
"We are going to have a very strong approach to make sure that every South Carolina taxpayer is protected," said Haley. "No taxpayer should be a victim to this. We will take care of them."
If you have paid taxes in the state of South Carolina since 1998, you are urged call 1-866-578-5422 to get an activation code to use here: www.protectmyid.com/scdor to see if your information has been compromised. If so, the state will provide a year of identity-theft protection and credit monitoring free of charge.
"Whatever it takes to do this, we are going to do," said Haley on potential costs for protecting residents. "This is not going to be inexpensive."
"I'm a little concerned," said Diane Ranger. "I don't want to have to change all my credit cards or any of that. But I'll do what I have to do."
"It makes me feel like I'm being invaded," said Linda Bowers. "How can I stop this? What can I do about it and why weren't you notified any sooner so you could notify us?"
Juliana Harris with the South Carolina Department of Consumer Affairs said regular monitoring of your financials and credit reports is critical.
"Be proactive," said Harris. "Look at your credit report. Look for errors: misspellings of name, addresses you've never lived at. That type of thing, indicator of error of ID theft."
You can also call the individual credit protection bureaus to request a fraud alert.
"The fraud alert lasts 90 days and alerts creditors that would be pulling your credit report to take extra steps to identify you," said Harris.
Or you can request a security freeze.
"It stops anyone from accessing your credit report without your expressed permission," she said. "It's a good tool to stop people from getting extra lines of credit."
Harris says if you suspect you've been exposed, it requires constant monitoring.
If credit card information is compromised, the best protection is to have the bank reissue the card. Anyone who has used a credit card in a transaction with the Department of Revenue should check bank accounts regularly to see if any unauthorized charges have occurred. If so, the cardholder should contact the credit card issuer immediately by calling the toll-free number located on the back of the card or on a monthly statement, tell them what you have seen, and ask them to cancel and reissue the card.
Consumers should also change any credit card web account passwords immediately when unauthorized charges are detected.
In addition to the Experian service, state officials urged individuals to consider additional steps to protect their identity and financial information, including:
- Regularly review credit reports;
- Place fraud alerts with the three credit bureaus;
- Place a security freeze on financial and credit information with the three credit bureaus.
Here's how to contact all three credit bureaus:
Equifax Fraud Reporting
1-800-525-6285
P.O. Box 740241
Atlanta, GA 30374-0241
www.equifax.com
Experian Fraud Reporting
1-888-397-3742
P.O. Box 9532
Allen, TX 75013
www.experian.com
TransUnion Fraud Reporting
1-800-680-7289
Fraud Victim Assistance Division
P.O. Box 6790 Fullerton, CA 92834-6790
www.transunion.com