South Carolina Data Breach Exposes 3.6 Million Tax Payers
State officials in South Carolina say a devastating cyberattack on the state's Department of Revenue has resulted in the theft of 3.6 million social security numbers and nearly 400,000 credit and debit card numbers.
According to the Department of Revenue (DOR), the vast majority of the credit card numbers are protected by strong encryption. However, approximately 16,000 are unencrypted.
“On October 10, the S.C. Division of Information Technology informed the S.C. Department of Revenue of a potential cyber attack involving the personal information of taxpayers,” said Department of Revenue Director James Etter, in a statement. “We worked with them throughout that day to determine what may have happened and what steps to take to address the situation. We also immediately began consultations with state and federal law enforcement agencies and briefed the governor’s office.”
Six days later, investigators uncovered two attempts to probe the system in early September, as well as a previous attempt that was made in late August. In mid-September, two other intrusions occurred that authorities believe were the first times the intruder or intruders obtained data. No other intrusions have been uncovered at this time, and on Oct. 20, the vulnerability in the system was closed, according to the DOR.
“The number of records breached requires an unprecedented, large-scale response by the Department of Revenue, the State of South Carolina and all our citizens,” said South Carolina Governor Nikki Haley in a statement. “We are taking immediate steps to protect the taxpayers of South Carolina, including providing one year of credit monitoring and identity protection to those affected.”
In a survey by Deloitte & Touche released this week, less than a quarter of state chief information security officers said they were confident in their states' ability to safeguard data from attacks. Just 32 percent of CISOs felt state employees had the "required cyber-security competency."
In light of the recent attack, Gov. Haley issued an executive order instructing state IT officers to work with the Office of the State Inspector General to review and bolster security.
“From the first moment we learned of this, our top priority has been to protect the taxpayers and the citizens of South Carolina, and every action we’ve taken has been consistent with that priority,” Etter said. “We have an obligation to protect the personal information entrusted to us, and we are redoubling our efforts to meet that obligation.”
It has been a tough year for the State. In late August, The University of South Carolina (USC) notified some 34,000 people after a system intrusion was detected on a computer used by the College of Education.