Approximately 3.6 million Social Security numbers and 387,000 credit and debit card numbers belonging to South Carolina taxpayers were exposed after a server at the state's Department of Revenue was breached by an international hacker, state officials said Friday.
All but 16,000 of the credit and debit card numbers were encrypted, the officials said.
[ Find out how to block the viruses, worms, and other malware that threaten your business, with hands-on advice from expert contributors in InfoWorld's "Malware Deep Dive" PDF guide. | Learn how to secure your systems with Roger Grimes' Security Adviser blog and newsletter, both from InfoWorld. ]
The state's Department of Revenue became aware of the breach Oct. 10 and an investigation revealed the hacker had stolen the data in mid-September, after probing the system for vulnerabilities in late August and early September.
The vulnerability exploited by the attacker was closed Oct. 20.
During a press conference Friday, South Carolina Governor Nikki Haley described the attack as international and "creative in nature."
Asked if she knew where the attack originated from, she said she does but declined to name the location because it might hurt the law enforcement investigation. She did, however, say she wants the hacker "slammed to the wall."
"We want to make sure everybody understands that our State will respond with a big, large-scale plan that is somewhat unprecedented to take care of this problem," Haley said.
The state will provide affected taxpayers with a year of credit monitoring and identity theft protection service from Experian.
"Anyone who has filed a South Carolina tax return since 1998 is urged to visit protectmyid.com/scdor or call 1- 866-578-5422 to determine if their information is affected," the Department said.
"While details are still emerging, we can already say that this breach of records at the South Carolina Department of Revenue (SCDOR) is exceptional, both in terms of the large number of records compromised and the potential damage to confidence in state government that may result," Stephen Cobb, a security evangelist at security firm ESET, said via email Friday.
"The cost is also going to be enormous, given that South Carolina may be required to pay for identity theft protection services for anyone who has paid taxes in South Carolina since 1998," he said.
"Encryption of the data may slow down the process by which the stolen records are converted into cash through identity theft and fraudulent accounts, although that will also depend on the strength of the encryption," Cobb said.
Cobb pointed out that this breach came only a couple of months before people can start filing their income tax returns.
"Fraudulent electronic claims for refunds are a huge problem for the Internal Revenue Service (IRS) as criminals can easily make fake versions of the income tax withholding form known as W-2, showing that the employer withheld more tax than was owed," Cobb said. "Employers often dont inform the IRS of taxes withheld until several months into the New Year."