COLUMBIA, SC — Hackers could have in their possession taxpayer information from the SC Department of Revenue that would allow crooks to take over bank accounts, file for bogus tax refunds or get fraudulent loans, national data security experts said Monday.
“This is about the worst you can get,” said Avivah Litan, an ID theft analyst with the information technology research group Gartner. Added Rick Holland, an analyst with Forrester Research, “If I were a resident of South Carolina, I would be pretty concerned.”
SC leaders are trying to resolve a cyber attack affecting four times as many people as all previous SC data breaches in the past seven years. [Click here for the Oct. 29 news conference video • Also, scroll to the bottom of this story for information about what to do if you have filed taxes in SC since 1998.]
Officials are working on improving security, while protecting taxpayers’ credit records for free. Meanwhile, the state Senate Finance Committee has asked Revenue Department director James Etter to explain the hacking at a hearing today — just four days after the theft, from an undisclosed location overseas, became public.
“This is really a disturbing thing,” said Senate Finance chairman Hugh Leatherman, R-Florence, said Monday. “Hopefully, we can put the genie back in the bottle.”
Gov. Nikki Haley and SLED Chief Mark Keel said Monday they do not know if hackers have taken additional information other than unencrypted Social Security numbers, belonging to 3.6 million SC taxpayers and dating back to 1998.
“To tell you now would be guessing,” Haley said.
Litan said she has never heard of Social Security numbers existing in a database without other identifying information. Tax returns include Social Security numbers, names, addresses, dates of birth and, in some cases, bank-routing numbers.
“As fraud analyst, I would be most nervous about someone having access to my tax records,” she said.
Plenty of SC taxpayers were nervous over the weekend, flooding lines set up by Experian, the California-based firm hired to provide ID theft protection for taxpayers. The company added operators Monday, though it still was suggesting the fastest way to register for ID theft protection was to register online. Those who need to sign up for protection can do so until Jan. 31.
The state, via Experian, is offering a year of free credit report monitoring, which can be used to help even with past problems found in credit histories. But crooks could use the stolen data for many years.
Haley hinted on Facebook on Monday the state might offer lifetime credit-report coverage. “We are working on getting you lifetime coverage,” Haley wrote. “I will be able to comment on that in (today’s) press conference.”
The state’s costs to provide the credit protection were not available Monday and will depend on how many people register, Haley said. About 455,000 people had called the state hotline by Monday morning with 154,000 people registering for credit protection.
She said the state was negotiating to offer protection at about $8 per person, which would cost the state about $29 million if every taxpayer affected registered.
Haley said the children of taxpayers, whose Social Security numbers are on tax returns as dependents, will be covered once their parents register. Business data were not compromised, the governor’s office said.
Haley said the state cannot automatically sign up taxpayers whose information has been compromised for the Experian program.
“When you’re dealing with the Department of Revenue, that is confidential information,” she said. “We are not allowed to go do something for someone that may not want it.”
Haley said she had no plans to discipline anyone for the attack, which started in August but was not discovered until Oct. 10 by the Secret Service. Keel said he could not provide any more details about the hackers, citing the ongoing investigation.
“Everything we have done, up until now, has been to protect the people,” Haley said. “I trust what the Secret Service has done. I trust the chief. And because of what we have done, we have actually further protected the people.”
State Inspector General Patrick Maley said he will meet with chief information officers from state agencies this week to talk about immediate fixes needed for other security gaps in the state’s other computer systems.
“We don’t need to address medium-range solutions while there is a hole in the kite,” he said.
Cyber attacks are a concern across the country.
Just one in four state chief information security officers nationwide said they are very confident in their states’ ability to guard data against an external cyber attack, according to a survey released last week. Seven in 10 reported a breach.
The hackers have unfettered access to the SC data they stole since the information was not protected with encryption codes. Haley said the Revenue Department data was not encrypted, which she said is standard for financial information at banks and businesses.
Fred Green, president of the SC Bankers Association, said banks only encrypt data during transactions. Otherwise, that information is protected by a firewall, he said.
Still, Holland, the ID theft analyst from the Boston-area research group, said not encrypting Social Security numbers in a state database, because the financial industry doesn’t do it, “sounds like a cop-out.”
“It’s negligent not to be doing it,” he said. “Organizations not doing that are behind the times.”
Haley said encrypting data can be complicated and cumbersome, though the state has started a two- to three-month process to encrypt Revenue Department data.
Many taxpayers were upset about the 16-day delay in informing the public.
“Two weeks is an eternity for the bad guys to have this information,” Holland said. “It’s important to act as soon as possible.”
Keel said the delay was necessary to allow authorities to conduct their investigation.
“None of us are completely protected from hackers,” Haley said. “It’s the new world that we live in.”
Haley said she and her husband, Michael, can identity with theft victims because, several years ago, they discovered someone had opened an unauthorized credit card under their names. The crook maxed out the card that went unpaid. Haley said clearing the couple’s credit history afterward took five years.
“It is something that is not fun,” Haley said. “I wish we had what we’re offering today.”
What to do
From the Governor's Office: Anyone who has filed a South Carolina tax return since 1998 should take the following steps:
1. Call 1-866-578-5422 where you will enroll in a consumer protection service. The call center is open 9:00 AM – 9:00 PM EST on Monday through Friday and 11:00 AM – 8:00 PM EST on Saturday and Sunday.
2. Then you will determine if you wish to have an online or US Mail alert mechanism.
3. For the online service, visit http://www.protectmyid.com/scdor. For the US Mail service, you will receive notifications via the US mail.
