Security Experts:

South Carolina Residents Remain Confused After Massive Data Breach

Months after the massive data breach at the South Carolina Department of Revenue where over three million names and Social Security numbers were exposed, residents remain confused about what steps the government is taking to secure their personal data.

In a survey of approximately 600 South Carolina residents, a majority said they didn't fully understand what compliance rules that state has to follow to keep their data safe and were very worried about the general safety of their information. They also criticized the state for the way the situation had been handled and the lack of communication since the breach.

South CarolinaApproximately 85 percent of the respondents said they did not know what changes they had to make, if any, in order to file next year's income taxes electronically. About 72 percent said they normally filed returns online, and said the state had not given them any new rules or requirements about e-filing. Interestingly enough, only 52 percent of the respondents said they were uncomfortable at the prospect of filing electronically going forward.

The fact that "affected individuals do not understand what they need to do in order to ensure their personal information is safe or what steps to take if it has been compromised" was telling, Rick Dakin, CEO and co-founder of Coalfire, said in a statement.

More than 60 percent said they signed up for one year's worth of credit monitoring the state offered after the breach, but felt it was not sufficient. Many felt the state should offer a longer monitoring duration or memberships to a full credit protection service such as Lifelock, because the thieves could easily wait out the year before using the stolen information. A few thought new Social Security numbers should be issued.

The lack of information about what to do after the breach angered many of the residents. "Information was never sent out to the people this would impact- we, as a state, were told to look it up ourselves. Additionally, if you are not vigilant in looking up information, you don't know what to do or what should happen next," a participant wrote on the Coalfire survey. Another said the state should have provided face-to-face or over-the-phone options, or even a dedicated website suggesting what they should be doing to safeguard their identity.

The state also did not do a good job informing the affected residents in the first place, respondents said. South Carolina discovered the breach Oct. 20 but waited a week before publicly acknowledging what had happened. Nearly three-quarters of the respondents said they heard about the breach from widespread media coverage, and only three percent said they found out about the breach after receiving the notification letter from the state.

Residents also wanted to know what the government is going to do to make sure such a breach wouldn't happen again. "It is worrisome that a IRS site was not hack proof," a respondent wrote in the survey.

“One key finding is that while citizens realize they are not experts on data security, they fully expect agencies such as state governments to safeguard their personal information,” Dakin added.

About a third of the residents said they think about the safety of their personal data, and two-thirds said there were more upset about this breach than similar incidents at other organizations. They were concerned about the fact that some of the affected victims were children, since their information was listed on tax returns as dependents.

More than 90 percent of the survey participants said they were aware their personal data may have been among the state income filings that were breached last year. The majority, or 85 percent, of the respondents, had never been a victim of identity theft in the past.

Fahmida Y. Rashid is a contributing writer for SecurityWeek. She has experience writing and reviewing security, core Internet infrastructure, open source, networking, and storage. Before setting out her journalism shingle, she spent nine years as a help-desk technician, software and Web application developer, network administrator, and technology consultant.