Massive personal identity breach of S.C. taxpayers

Image by Flickr user Andres Rueda

Update: As time passes, citizens are being left with more questions than answers.

The state of South Carolina is reporting that a massive theft of personal information was discovered 16 days ago after state records were compromised in what is believed to be an international attack.

Some 3.6 million Social Security numbers and 387,000 credit and debit card numbers have been exposed in a cyber attack. Of the credit cards, the majority are protected by encryption, some 16,000 are unencrypted.

“The number of records breached requires an unprecedented, large-scale response by the Department of Revenue, the state of South Carolina and all our citizens,” said Governor Nikki Haley. “We are taking immediate steps to protect the taxpayers of South Carolina, including providing one year of credit monitoring and identity protection to those affected.”

Anyone who has filed a South Carolina tax return since 1998 is urged to call 1- 866-578-5422 to determine if their information is affected. If so, you can enroll in one year of identity protection service at  protectmyid.com/scdor

What is not yet clear is just how the breach occurred and why the state waited more than two weeks to inform citizens about the security risk while it scrambled to repair the flaw.

The state recites the following timeline:

On October 16, investigators uncovered two attempts to probe the system in early September, and later learned that a previous attempt was made in late August. In mid-September, two other intrusions occurred, and to the best of the department's knowledge, the hacker obtained data for the first time. No other intrusions have been uncovered at this time. On October 20, the vulnerability in the system was closed and, to the best of the department's knowledge, secured.

You can see the full timeline here.

We'll be sure to keep you posted.