COLUMBIA, SC — More than three months after officials revealed hackers had swiped financial data belonging to 6.4 million consumers and businesses from the S.C. Department of Revenue, the state still is continuing work to secure computers and notify victims.
Meanwhile, the costs rise.
A look at the latest information on where the hacking incident stands.
What is the price tag for the breach?
$20 million and counting. The tab which has paid for credit monitoring, security upgrades and consultants is expected to increase with other state agencies submit requests to bolster their computer systems. Gov. Nikki Haleys executive budget included at least another $16.6 million in breach-related requests.
Has the state started sending breach notifications?
Yes. Notifications began going out the week of Christmas for state residents. More than 600,000 of 2.6 million S.C. residents affected have received notifications, the governors office said last week.
Out-of-state residents started getting notifications the week of Dec. 10. More than 760,000 of 1.2 million out-of-state residents affected have received notices.
People who signed up for credit monitoring with Experian by mid-December should get emails. Others will receive letters. Notifications should finish in the next few weeks.
Sending notifications is costing the state $1.2 million.
Why send notifications when there has been so much media exposure about the breach?
A Winthrop University poll found 90 percent of South Carolinians had some knowledge about the hacking, but that does not mean everyone has the information needed to better protect their financial records, such as how to enroll for credit monitoring or apply for a credit freeze. (Consider: S.C. ranked 44th in the nation in web access. according to the 2010 Census. About 1.4 million South Carolinians have no Internet access.) The notifications provide details on what to do as well as conformation that an individuals information was stolen.
The state says hackers only stole information on tax returns filed electronically, but arent paper returns converted to electronic records?
Yes. But those files are stored in a separate system that was not hit by the hackers, the Revenue Department said. That means people who filed paper returns are not affected by the breach.
Is there still time to enroll for credit monitoring?
Yes. The registration deadline for a year of credit monitoring has been extended two months to March 31. The state is paying $12 million to Experian for the service under the states emergency procurement law, which does not require getting bids from several providers.
More than a million of the 3.8 million affected taxpayers have enrolled for credit monitoring, the governors office. (Register: www.protectmyid.com/scdor and enter code SCDOR123 or call (866) 578-5422)
The enrollment rate so far 26 percent surpasses the industry norm of 5 percent to 15 percent, said Jon Neiditz, an attorney with the Nelson Mullins law firm in Columbia, which the state has paid $300,000 for hacking-related legal advice.
Cant the state just enroll everyone automatically?
Thats under debate. Some lawmakers are proposing to do that, giving people the ability to opt-out. But S.C. officials say the state has no right to enroll residents without their permission.
Will taxpayers get credit monitoring for more than a year?
Perhaps. Experian is offering a second year of coverage for $10 million. A Haley top aide told lawmakers the state will follow regular procurement procedures moving forward. Some legislators have said monitoring should be provided at no cost since it gives a credit-monitoring company access to millions of potential customers. Experian charges $160 to $240 a year for its monitoring service. Lawmakers also have said they want a longer-term solution since 1.9 million dependents mainly children also had their personal information taken and will need protection for decades to come.
Is the state securing its computers?
Yes, but a full plan is taking time. Agencies took some immediate steps to reduce access and boost monitoring. The Revenue Department has said it now is encrypting data. The agency was in talks for a $4 million encrypting contract with Boston-area computer firm EMC. The states 16 cabinet agencies also will get a program that shuts down computers when they are hit by viruses or uploading an usually large amount of data.
More security work at other agencies will come after the state hires a consultant to assess South Carolinas needs. No timetable has been released.
Are authorities close to catching the hackers?
Unclear. SLED chief Mark Keel said last week he still could not release details of the law enforcement investigation into the breach. He did not know when authorities could share information. Keel said the case still centers on hackers from overseas. There have been no reports of stolen information being used.
Can the public see the full investigative report from Mandiant, the computer forensics firm hired by the state for $750,000 to examine that breach?
No. A summary report was released in November, but it did not include all the security-improvement recommendations and glitches found. The stat0e says it wont release the report because of security concerns. But it has provided copies of the report to the S.C. House and Senate that can be read by members after signing a confidentiality agreement.
A former Revenue Department security administrator testified last week that his boss did not make protecting data a priority. Has anyone been punished for the breach?
Not really. The agency said no employees have been disciplined because of the hacking. Revenue Department director Jim Etter did leave last month, a departure he made by mutual decision with Haley. He was succeeded by S.C. Public Employee Benefit Authority director Bill Blume. The boss mentioned in the legislative testimony last week left the Revenue Department in September, before the breach was discovered.
What are S.C. lawmakers proposing?
They have introduced bills to offer taxpayers state income tax credits or deductions to offset the cost of buying identity-theft protection, to create a fund to repay hacking victims and to appoint a state chief information officer who would coordinate computer security.