A foreign hacker was able to get into a South Carolina Department of Revenue database and state officials said Friday that more than 3.6 million Social Security numbers and 387,000 credit card numbers have been exposed.
The Greenville News and its sister station WLTX in Columbia first reported on the breach after speaking to several state officials Friday morning. Those officials refused to say whether the database has been retrieved, calling it a “sensitive investigation.”
Gov. Nikki Haley, State Law Enforcement Division Chief Mark Keel, Revenue Director James Etter, State Inspector General Patrick Maley and others held a press conference Friday afternoon. ”This is not a good day for South Carolina,” said the governor.”This is one where a lot a people have come together to fix a situation I wish we never would have had, but we have. South Carolina has come under attack by an international hacker.”
There are a little less than 4.6 million people living in South Carolina, according to U.S. Census data. “The number of records breached requires an unprecedented, large-scale response by the Department of Revenue, the State of South Carolina and all our citizens,” Governor Nikki Haley said in a statement.
State Law Enforcement Division Chief Mark Keel said officials first learned about a breach on the Department of Revenue’s website on October 10. On October 16, investigators uncovered two attempts to probe the system in early September, and later learned that a previous attempt was made in late August. The Department of Revenue says the hacker obtained data for the first time in mid-September. No other intrusions have been uncovered at this time. On October 20, the vulnerability in the system was closed and secured, DOR officials said.
Anyone who has filed a South Carolina tax return since 1998 is immediately being asked to call 1-866-578-5422 to determine if their information is affected. You will then be given an “activation code” to visit protectmyid.com/scdor. The state will provide those affected with one year of credit monitoring and identify-theft protection, officials said. The Department of Revenue is currently working with information security company Mandiant to help secure its system.
All but 16,000 of the credit cards were encrypted so they could not be used by third-party groups, officials said. But they said they don’t know whether hackers could break the encryption.