The U.S. Secret Service detected a security breach at the S.C. Department of Revenue on Oct. 10, but it took state officials 10 days to close the attacker’s access and another six days to inform the public that 3.6 million Social Security numbers had been compromised.

The attack also exposed 387,000 credit and debit card numbers. The stolen data included other information people file with their tax returns such as names and addresses. Businesses’ taxpayer identification numbers also potentially have been comprised in the attack that is being described as one of the nation’s largest against a state agency.

The attack affects tax returns as far back as 1998, the Revenue Department said. But not all of the department’s data – so not every taxpayer – was affected, it said.

Most of the data had not been encrypted, meaning the hacker would not need a key to a secret code to read the stolen data.

Revenue director James Etter said none of the Social Security numbers were encrypted and about 16,000 credit card numbers were not encrypted.

“That was not part of the system at that point,” Etter said during Gov. Nikki Haley’s press conference Friday to announce the breach. “That’s something we’ll be looking into.”

Officials, including State Law Enforcement Division Chief Mark Keel, said the millions of affected S.C. taxpayers had not been notified sooner because agents needed to reach “certain benchmarks in their investigation.”

Keel said it took time to determine how much data had been compromised. And investigators needed time to gather evidence that could lead to prosecution.

It is not known how the security breach has affected taxpayers and whether or how the hacker might have used the data.

The Revenue Department established a toll-free phone line and a website for taxpayers who might be affected, but the system was overwhelmed Friday afternoon by the hundreds of thousands of people calling. The Revenue Department is increasing the number of receptionists at its call center, which will be open over the weekend, DOR spokeswoman Samantha Cheek said.

The security breach will be costly for the state, which hired a private cyber security firm to block the attack and to install new equipment and software at the Revenue Department. The state also promised to pay for one year of credit monitoring and identity theft protection for those affected.

The attack led Haley to pledge to beef up the state’s vulnerable information technology systems. She signed an executive order directing Cabinet agencies to cooperate with the state inspector general in an assessment of security. The order says that the state’s information technology security procedures have been “largely uncoordinated and outdated.”

It appears the hacker’s first attempt to probe the Revenue Department’s system came from a foreign Internet address on Aug. 27. Officials would not disclose where the attack originated.

The attack was discovered Oct. 10 by the U.S. Secret Service’s electronic crimes task force in South Carolina, Special Agent in Charge Michael Williams said.

His office notified SLED, and state agencies began scrambling to address the problem.

Upon the Secret Service’s recommendation, the state on Oct. 12 hired Mandiant, a private computer security firm based in Alexandria, Va. It was Mandiant’s experts who discovered that the hacker made two attempts to enter the system in early September and obtained data in mid-September. The company blocked the attacker’s access to the server Oct. 20.

The company also installed log-in monitoring and other tools to deter another attack, said Marshall Heilman, the company’s director of services.

Mandiant’s investigation into the attack is ongoing,

“We tend to measure investigations in weeks and months, not hours and days,” Heilman said during a Friday press conference. “We appreciate your patience.”

Officials declined to provide further details on the hacker or efforts to bring the person or persons to justice.

“My instructions to them were to slam him to the wall,” Haley said of her discussions with SLED’s Keel.

The attack was one of the largest the Secret Service has seen but not the biggest, Williams said.

The Privacy Rights Clearinghouse in San Diego, Calif., has compiled records of government security breaches since 2005. A State newspaper check of the clearinghouse’s database does not show any breaches of tax information that even approach the size of the attack against South Carolina.

The clearinghouse, a 20-year-old, nonprofit consumer and privacy advocacy organization, listed 11 other cases of tax records breaches by government agencies.

The group’s director, Beth Givens, described South Carolina’s example as a “massive breach.”

“This database should have been encrypted,” Givens said. “The fact that it wasn’t is a significant failing.”

She also criticized the state’s delay in notifying taxpayers.

“I don’t give the tax agency high marks for the amount of time it has taken to notify these individuals.” She said a lot of damage could have occurred since the attackers first struck.

Haley vowed to better protect S.C. residents’ personal information in April after a state employee gained access to 228,000 Medicaid beneficiaries’ data. She put the word out that jobs were on the line if supervisors were not vigilant in protecting private information.

S.C. Inspector General Patrick Maley said nine agencies had been evaluated thus far, and some corrective action had been taken. There was no overarching security policy within state government, he said.

No one at the Revenue Department or within the state’s information technology division has been disciplined over the latest attack. Haley said the latest cyber attack is different from the one reported in April.

“That was an internal breach. This is totally different. This is unprecedented,” Haley said. “This is an international attack that did not come from the inside, that was creative in nature and reminds all of us that we’re in a different age and time where internally is not just where you have to look. We have to look externally.”

Reporter Clif LeBlanc contributed to this report.