The U.S. Secret Service detected a security breach at the S.C. Department of Revenue on Oct. 10, but it took state officials 10 days to close the attackers access and another six days to inform the public that 3.6 million Social Security numbers had been compromised.
The attack also exposed 387,000 credit and debit card numbers. The stolen data included other information people file with their tax returns such as names and addresses. Businesses taxpayer identification numbers also potentially have been comprised in the attack that is being described as one of the nations largest against a state agency.
The attack affects tax returns as far back as 1998, the Revenue Department said. But not all of the departments data so not every taxpayer was affected, it said.
Most of the data had not been encrypted, meaning the hacker would not need a key to a secret code to read the stolen data.
Revenue director James Etter said none of the Social Security numbers were encrypted and about 16,000 credit card numbers were not encrypted.
That was not part of the system at that point, Etter said during Gov. Nikki Haleys press conference Friday to announce the breach. Thats something well be looking into.
Officials, including State Law Enforcement Division Chief Mark Keel, said the millions of affected S.C. taxpayers had not been notified sooner because agents needed to reach certain benchmarks in their investigation.
Keel said it took time to determine how much data had been compromised. And investigators needed time to gather evidence that could lead to prosecution.
It is not known how the security breach has affected taxpayers and whether or how the hacker might have used the data.
The Revenue Department established a toll-free phone line and a website for taxpayers who might be affected, but the system was overwhelmed Friday afternoon by the hundreds of thousands of people calling. The Revenue Department is increasing the number of receptionists at its call center, which will be open over the weekend, DOR spokeswoman Samantha Cheek said.
The security breach will be costly for the state, which hired a private cyber security firm to block the attack and to install new equipment and software at the Revenue Department. The state also promised to pay for one year of credit monitoring and identity theft protection for those affected.
The attack led Haley to pledge to beef up the states vulnerable information technology systems. She signed an executive order directing Cabinet agencies to cooperate with the state inspector general in an assessment of security. The order says that the states information technology security procedures have been largely uncoordinated and outdated.
It appears the hackers first attempt to probe the Revenue Departments system came from a foreign Internet address on Aug. 27. Officials would not disclose where the attack originated.
The attack was discovered Oct. 10 by the U.S. Secret Services electronic crimes task force in South Carolina, Special Agent in Charge Michael Williams said.
His office notified SLED, and state agencies began scrambling to address the problem.
Upon the Secret Services recommendation, the state on Oct. 12 hired Mandiant, a private computer security firm based in Alexandria, Va. It was Mandiants experts who discovered that the hacker made two attempts to enter the system in early September and obtained data in mid-September. The company blocked the attackers access to the server Oct. 20.
The company also installed log-in monitoring and other tools to deter another attack, said Marshall Heilman, the companys director of services.
Mandiants investigation into the attack is ongoing,
We tend to measure investigations in weeks and months, not hours and days, Heilman said during a Friday press conference. We appreciate your patience.
Officials declined to provide further details on the hacker or efforts to bring the person or persons to justice.
My instructions to them were to slam him to the wall, Haley said of her discussions with SLEDs Keel.
The attack was one of the largest the Secret Service has seen but not the biggest, Williams said.
The Privacy Rights Clearinghouse in San Diego, Calif., has compiled records of government security breaches since 2005. A State newspaper check of the clearinghouses database does not show any breaches of tax information that even approach the size of the attack against South Carolina.
The clearinghouse, a 20-year-old, nonprofit consumer and privacy advocacy organization, listed 11 other cases of tax records breaches by government agencies.
The groups director, Beth Givens, described South Carolinas example as a massive breach.
This database should have been encrypted, Givens said. The fact that it wasnt is a significant failing.
She also criticized the states delay in notifying taxpayers.
I dont give the tax agency high marks for the amount of time it has taken to notify these individuals. She said a lot of damage could have occurred since the attackers first struck.
Haley vowed to better protect S.C. residents personal information in April after a state employee gained access to 228,000 Medicaid beneficiaries data. She put the word out that jobs were on the line if supervisors were not vigilant in protecting private information.
S.C. Inspector General Patrick Maley said nine agencies had been evaluated thus far, and some corrective action had been taken. There was no overarching security policy within state government, he said.
No one at the Revenue Department or within the states information technology division has been disciplined over the latest attack. Haley said the latest cyber attack is different from the one reported in April.
That was an internal breach. This is totally different. This is unprecedented, Haley said. This is an international attack that did not come from the inside, that was creative in nature and reminds all of us that were in a different age and time where internally is not just where you have to look. We have to look externally.
Reporter Clif LeBlanc contributed to this report.