Up to 657,000 businesses may have had their identification data compromised during the recently-discovered breach in South Carolina’s tax agency, Governor Nikki Haley said Wednesday. In response, the governor announced that the credit information company Dun & Bradstreet Credibility Corp. will soon offer a free lifetime credit monitoring service to all companies that filed taxes since 1998.
“This is the kindness of a company that sees that we are going through a crisis and they wanted to help,” Haley said. “We’re grateful for that… (I)n a time we’re talking about bad people… I think it says a lot that we still have good people out there.”
Beginning Friday morning at 8 a.m., affected business owners can go to DandB.com/sc to sign up for the service. The company will provide a CreditAlert product to any business that has filed taxes since 1998. The alert will inform them of any changes in their credit scores or ratings that could be a sign of fraudulent activity due to identity theft. You can also call its customer service at (800) 279-9881.
The governor said that the service by Dun & Bradstreet would have no cost for the state. The credit rating agency Experian is also offering a similar deal, according to the Governor’s Office spokesman Rob Godfrey.
And, as a reminder, if you think your own personal Social Security number was one of the 3.6 million stolen, you can visit protectmyid.com/sc and type in the activation code scdor123 to see if you are eligible for free credit monitoring provided by Experian. So far, more than 418,000 people have enrolled in a free yearlong credit monitoring service being offered by Experian. The company will also offer lifetime credit protection, which helps clean up any damages from the theft but does not include monitoring.
The fact that business numbers were also compromised was not revealed until a Senate committee hearing on Tuesday. At the time, Department of Revenue director Jim Etter told lawmakers he had just learned about the news and did not know how many businesses were affected. On Wednesday, Haley reiterated that state officials still do not know the actual number of businesses, but added it could be as many as 657,000. She said officials decided to offer protection to all South Carolina businesses that have filed taxes since 1998.
“We are staying on the very, very cautious side,” Haley said.
According to a timeline presented by the Department of Revenue, the agency was notified about the breach on October 10 (although it is believed the hacker actually obtained the data in mid-September). The agency soon hired the cyber security firm Mandiant to investigate and recommend ways to close the “hole” that the hacker used to access the system. The hole was closed on October 20 and the agency made the breach public on October 26.
Haley and Etter gave very few additional details on the hack itself Wednesday, saying that law enforcement officials did not want them to speak on the matter. However, Etter did say that Mandiant reported “what hole was open” on October 19 and the agency closed it a day later.
“On the morning of the 20th, a Saturday morning, my staff went in at their recommendation and did close that hole within the system,” Etter said Wednesday.
Etter previously said that the hacker used Department of Revenue credentials to access the database, but added he could not say how the hacker got the credentials. Secret Service investigators have said a foreign computer was used to get into the system.