About 3.6 Million SSNs Exposed in Hack Of South Carolina Tax Agency's System

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

RALEIGH, N.C.--About 3.6 million Social Security numbers and some 387,000 credit and debit card numbers have been exposed in a cyber-attack on the South Carolina Department of Revenue Agency's database, a spokeswoman for the agency told BNA Oct. 26.

On Oct. 31, Gov. Nikki Haley (R) announced that tax information on as many as 657,000 businesses also was exposed.

According to the governor, business information exposed in the attack “is already public,” such as Employer ID numbers (EINs), account numbers, and Social Security numbers that may be associated with a company.

According to Samantha Cheek, the department's public information director, the agency currently is not aware of any misuse of victims' confidential information related to a cyber-attack on its system. “As this is an ongoing criminal investigation we cannot comment as to the origin of the attack,” she said.

In an Oct. 26 announcement, the agency said investigators found that the agency's system was hacked in early September and the taxpayer information appears to have been obtained in mid-September. The agency said it has addressed the vulnerability to its system and is working with state and federal law enforcement entities.

Credit, Debit Information Also at Risk.

According to the revenue agency, the vast majority of the credit cards that were exposed were protected by “a strong encryption deemed sufficient under the demanding credit card industry standards to protect the data and cardholders.” However, some 16,000 affected credit cards were unencrypted, the agency said.

The state later said it believes that all credit card numbers exposed in the breach were for expired cards.

Taxpayers who have filed a South Carolina tax return since 1998 are potentially affected by the data breach. The state is offering one year of credit monitoring and identity theft protection to victims of the attack.

Following the announcement of the breach, Haley Oct. 26 issued an executive order (No. 2012-10) calling on South Carolina agencies to coordinate with the state Inspector General's Office in an effort to review and strengthen their information technology security procedures and protocols.

“The number of records breached requires an unprecedented, large-scale response by the Department of Revenue, the State of South Carolina and all our citizens,” Haley said in an Oct. 26 statement.

“We are taking immediate steps to protect the taxpayers of South Carolina, including providing one year of credit monitoring and identity protection to those affected,” she said.

Haley said that Dun & Bradstreet will offer South Carolina businesses that have filed a tax return with the state since 1998 a free service that will alert them to changes that take place in their credit files. Changes in business address and officers are among those items being monitored, she said.

Dun & Bradstreet was scheduled to launch a website for enrollment Nov. 2 and also is offering a toll-free number, the governor said. The monitoring will be provided for free “for the life of the business,” according to Haley.

Out-of-state companies that filed tax returns with South Carolina also may access Dun & Bradstreet's services as well, Haley said in a Nov. 1 update to reporters.

In addition, Haley said, state officials have contacted the Federal Trade Commission and the Internal Revenue Service to inform those federal agencies of the data that had been exposed. She said that state officials are working with the IRS to allow South Carolina businesses to change their EINs if they so choose.

By Andrew M. Ballard  

The executive order is available at http://governor.sc.gov/ExecutiveOffice/Documents/2012-10%20Reviewing%20IT%20Security.pdf.

Request Bloomberg Law: Privacy & Data Security