A foreign hacker has stolen 3.6 million Social Security numbers and 387,000 credit and debit card numbers from South Carolina’s Department of Revenue, putting most of the state’s 4.7 million residents at risk of identity theft.
Anyone who filed a South Carolina tax return in the past 14 years may have had their Social Security number stolen and has been urged by the state government to immediately enroll in consumer protection services, according to Greenville Online.
The hacker began accessing the Department of Revenue’s computer system in August, but wasn’t noticed by the Secret Service until October, giving him about two months to gather the data in what is one of the largest computer breaches in the US.
Since the first security breach, the hacker broke into the system again on Sept. 3 and Sept. 13, according to James Etter, director of the Department of Revenue. Etter claims the August intrusion yielded no stolen information.
“To the best of our knowledge, it was kind of a look-see, what’s here,” he said. “They were not doing anything with the data in August. They got in, ‘Now let’s see what we’ve got.’”
But the hacking was not detected by the Secret Service until Oct. 10, giving the hacker time to extract personal information from 3.6 million taxpayers.
“The number of records breached requires an unprecedented, large-scale response by the Department of Revenue, the State of South Carolina and all our citizens,” South Carolina Gov. Nikki Haley said during a news conference. “We are taking immediate steps to protect the taxpayers of South Carolina, including providing one year of credit monitoring and identity protection to those affected.”
While most credit cards have strong encryption, 16,000 cards had no protection at all.
“It makes me sick,” Greenville, S.C., resident Ashley Reynolds told USA Today. “You just hear nightmares of people trying to recover from identity theft. It can be years of trying to reclaim your good status.”
An international criminal investigation is taking place to determine the extent of the security problem. Investigators will try to determine whether the database has been copied and whether any taxpayers paid a ransom to the hacker to retrieve their information.
The Secret Service and state officials exposed the security breach on Friday, causing some to wonder why it was kept secret for so long when millions of Americans have been at risk of identity theft for weeks, as the hack was first noticed by the agency on October 10.
While this case of hacking was the largest in US history, it wasn’t the first. On March 30, 2012, officials in Utah discovered that one of their health department servers had been hacked. About 900,000 Social Security numbers were stolen from the server – including those of children.
In August 2011, a group of hackers used Google to steal 43,000 Social Security numbers from faculty, staff and students of Yale University, due to an unprotected FTP server.
That same month, hackers published more than 100 Social Security numbers of state law enforcement officials that they had stolen from the Missouri Sheriffs’ Association website – along with e-mail addresses, usernames, passwords for accounts, telephone numbers and credentials of about 7,000 officers.
Some of those potentially affected in South Carolina have expressed deep concern about the security of their information in computer databases.
“It makes me question the state and how it was securing that kind of information. It’s scary,” said Misha Morris, a Seneca, S.C., resident.