RALEIGH, N.C.--About 3.6 million Social Security numbers and some 387,000
credit and debit card numbers have been exposed in a cyber-attack on the South
Carolina Department of Revenue Agency's database, a spokeswoman for the agency
told BNA Oct. 26.
On Oct. 31, Gov. Nikki Haley (R) announced that tax information on as many as
657,000 businesses also was exposed.
According to the governor, business information exposed in the attack “is
already public,” such as Employer ID numbers (EINs), account numbers, and Social
Security numbers that may be associated with a company.
According to Samantha Cheek, the department's public information director,
the agency currently is not aware of any misuse of victims' confidential
information related to a cyber-attack on its system. “As this is an ongoing
criminal investigation we cannot comment as to the origin of the attack,” she
In an Oct. 26 announcement, the agency said investigators found that the
agency's system was hacked in early September and the taxpayer information
appears to have been obtained in mid-September. The agency said it has addressed
the vulnerability to its system and is working with state and federal law
According to the revenue agency, the vast majority of the credit cards that
were exposed were protected by “a strong encryption deemed sufficient under the
demanding credit card industry standards to protect the data and cardholders.”
However, some 16,000 affected credit cards were unencrypted, the agency
The state later said it believes that all credit card numbers exposed in the
breach were for expired cards.
Taxpayers who have filed a South Carolina tax return since 1998 are
potentially affected by the data breach. The state is offering one year of
credit monitoring and identity theft protection to victims of the attack.
Following the announcement of the breach, Haley Oct. 26 issued an executive
2012-10) calling on South Carolina agencies to coordinate with the state
Inspector General's Office in an effort to review and strengthen their
information technology security procedures and protocols.
“The number of records breached requires an unprecedented, large-scale
response by the Department of Revenue, the State of South Carolina and all our
citizens,” Haley said in an Oct. 26 statement.
“We are taking immediate steps to protect the taxpayers of South Carolina,
including providing one year of credit monitoring and identity protection to
those affected,” she said.
Haley said that Dun & Bradstreet will offer South Carolina businesses
that have filed a tax return with the state since 1998 a free service that will
alert them to changes that take place in their credit files. Changes in business
address and officers are among those items being monitored, she said.
Dun & Bradstreet was scheduled to launch a website for enrollment Nov. 2
and also is offering a toll-free number, the governor said. The monitoring will
be provided for free “for the life of the business,” according to Haley.
Out-of-state companies that filed tax returns with South Carolina also may
access Dun & Bradstreet's services as well, Haley said in a Nov. 1 update to
In addition, Haley said, state officials have contacted the Federal Trade
Commission and the Internal Revenue Service to inform those federal agencies of
the data that had been exposed. She said that state officials are working with
the IRS to allow South Carolina businesses to change their EINs if they so
By Andrew M. Ballard
The executive order is available at http://governor.sc.gov/ExecutiveOffice/Documents/2012-10%20Reviewing%20IT%20Security.pdf.