A week after a massive data-security breach at the state Department of Revenue was revealed, South Carolinians remain upset and confused, calling and emailing as they try to learn what happened and how their finances can be protected.
Here are answers to some of the questions sent to The State this week:
How did this happen?
Overseas hackers used state-approved credentials to access the Revenue Department’s computer system in September and take up to 4.25 million state tax records of individuals and businesses, and 387,000 credit card numbers. The records date back to 1998. The state does not know how many records -- if not all of the them -- were exposed and have suggested anyone who filed a S.C. return since 1998 take precautions.
Only 16,000 of the credit card numbers were unencrypted. But anything on a tax form, including checking-account information used for direct deposit, has been exposed. The state learned of the breach from the Secret Service on Oct. 10, investigated for more than two weeks and told the public on Oct. 26.
How is the state fixing this?
The Revenue Department now is encrypting data, using the state’s computer network monitoring system and considering not holding tax data for so long. The governor also has asked the state inspector general to review technology policies at state agencies and devise recommendations.
How is S.C. helping victims?
Consumers can get one-year credit monitoring and up to $2 million in insurance and lifetime credit-fraud resolution, paid for by the state, from Experian. The deadline is Jan. 31.
If possible, enroll online. The hotline has been so jammed much of the week that people get a recording that asks them to call later.
Consumers can register at protectmyid.com/scdor (use the code “scdor123”) or call (866) 578-5422.
Businesses can get free credit-report monitoring from two companies. They have no registration deadline.
• Dun & Bradstreet Credibility Corp.– dandb.com/sc or call (800) 279-9881
• Experian - smartbusinessreports/southcarolina
Does enrolling online complete credit-monitoring registration for consumers?
No. Based on notices at the end of the initial registration, people will need to call the hotline or wait for a letter sent within 10 business days with a code to finish the enrollment. (UPDATE: Customers will receive this message if they have entered some information that doesn't match with Experian records, the company says.)
Will credit monitoring keep away ID thieves?
Not necessarily. The monitoring will keep an eye out for credit inquiries, opened accounts and bill delinquencies at all three credit-reporting agencies – Experian, Equifax and TransUnion. However, an alert might come after a crook already has struck. Still, the monitoring should inform consumers about problems sooner than waiting to find a bogus account on a credit report. And it’s free to consumers for a year. Consumers also can get one free credit report from each of the credit-reporting agencies annually at annualcreditreport.com.
What happens after a year?
Consumers will have to decide whether to pay to continue monitoring and the insurance. Experian charges $160 to $240 a year for coverage.
Does the threat of ID theft drop a year after a security breach?
Not really, experts say. Crooks can hang onto – or sell – data years after a hack. The biggest concern is Social Security numbers. Consumers can change credit-card numbers or passwords. They can’t get a new Social Security number without a lot of effort.
Are kids covered?
Yes, but parents cannot register them directly. After consumers enroll, Experian will look at records for dependents and send a notice in a few weeks about registering children. Adult children – those 18 and older – must register on their own, though some consumers have said the Experian website would not enroll them. They should call the hotline.
What about people who paid S.C. taxes since 1998 but are living out of state?
They enroll like everyone else. They also should get letters within a few weeks telling them about the breach and credit monitoring. If they have problems enrolling online, call the hotline.
Do couples who file their taxes jointly need to enroll more than once?
Each person needs to enroll separately.
Is anything being done to help the elderly and those without web access?
Not immediately. Gov. Nikki Haley asked her Cabinet directors to come up with ideas by Tuesday. The AARP also is looking for solutions. In the meantime, individual taxpayers have until Jan. 31 to register – hopefully enough time for the phone lines to clear up.
How can people without an email address enroll?
They should call the hotline.
What should consumers do if they are redirected to ProtectMyID’s main page when they use the address for S.C. breach victims?
Try using different web browser on their computer or delete the cookies for protectmyid.com.
Should consumers freeze their credit records?
Maybe. Cautious consumers can put a lid on their credit records that prevents the issuance of new credit cards and loans. Consumers have to register with all three credit-reporting agencies for freezes. But they also will need to unfreeze the records if they want a loan or new credit card – a potential hassle though thaws are supposed to happen within 15 minutes of a request. Visit www.consumer.sc.gov for instructions.
To freeze your accounts, contact:
• Equifax: https://www.freeze.equifax.com, (800) 685-1111
• Experian: https://www.experian.com/freeze, (888) 397-3742
• TransUnion: https://freeze.transunion.com, (800) 680-7289
Should consumers close their checking accounts and get new credit cards?
Probably not. Banks will make customers whole if crooks steal money from accounts, the S.C. Bankers Association said. Customers must tell banks within 60 days of getting their statement about the theft. Banks also will not hold customers liable for fraudulent credit-card charges.
Can someone with another person’s tax information fraudulently file for tax refunds and Social Security benefits?
Yes. The Internal Revenue Service and the Social Security Administration said they have safeguards in place to prevent ID theft but cases happen, data-security experts said. Consumers can do little to prevent this except make sure they receive weekly benefits checks and their refunds.
Will the bad guys who stole the tax information get caught?
Unlikely. Steven Toporoff, an attorney for the Federal Trade Commission’s division of privacy and identity protection, told The Associated Press that the constant swapping of stolen data among crooks makes it difficult to trace stolen credit-card and Social Security numbers to a specific theft. The Secret Service, which is leading the S.C. data breach probe, has declined comment on the case.
Bottom line: What is the price tag of the breach for the state?
Final costs are unknown. Here’s what we know now. The state will pay up to $12 million for Experian to offer help to individual taxpayers. The business monitoring is free. South Carolina has paid about $125,000 to Mandiant, a firm recommended by the Secret Service to help fix computer gaps, and hired Columbia’s Nelson Mullins law firm to help handle liability issues.