A cyberattack on South Carolina Department of Revenue's information systems this summer exposed some 3.6 million Social Security numbers and 387,000 credit and debit card numbers, including 16,000 unencrypted ones, the state reported Oct. 26.
Revenue Director James Etter said the state Division of Information Technology informed him of the cyberattack on Oct. 10. "We worked with them throughout that day to determine what may have happened and what steps to take to address the situation," Etter said in a statement. "We also immediately began consultations with state and federal law enforcement agencies and briefed the governor's office."
At the request of law enforcement, the state didn't immediately notify the public as soon as the breach was discovered. "Although protecting the taxpayers is the priority of the state, this is a criminal investigation and DOR (Department of Revenue) felt it necessary to allow law enforcement to do their job with this investigation," DOR spokeswoman Samantha Cheek said.
South Carolina Law Enforcement Chief Mark Keel said officials decided to delay notification until after the investigation reached a series of benchmarks, contending it was in the public's best interest that the investigation proceed before public notification, according to a report posted on the local website GreenvilleOnline.
Shortly after learning of the attack, the Revenue Department hired Mandiant, an advanced threat detection and incident response provider, to assist in the investigation, help secure the system, install new equipment and software and institute tighter controls on access.
Here's an account of the attack and response provided by the Revenue Department:
The Secret Service and the South Carolina Law Enforcement Division first noticed the breach and alerted state officials. (Cheek said she didn't know how law enforcement discovered the breach. Neither the Secret Service nor state law enforcement authorities responded to inquiries about the breach.)
Investigators on Oct. 16 uncovered two attempts to probe the system in early September, and later learned that a previous attempt was made in late August. In mid-September, two other intrusions occurred and it is believed the hacker obtained data for the first time. No other intrusions have been uncovered. On Oct. 20, the vulnerability in the system was closed and secured.
Cheek said she didn't know why 16,000 debit/credit cards numbers weren't encrypted, but says the state follows industry standards that have required encryption since 2003. Records that may have been exposed date back to 1998. GreenvilleOnline cites investigators as saying those numbers are so old that they don't believe they're at risk of being used. The website also quotes investigators as saying the cyberattack originated from abroad, which Cheek said she could not confirm.
Cheek said no public funds were accessed or put at risk as a result of the breach.
Recognizing the political sensitivity such a large data breach could have with the public, Gov. Nikki Haley issued a statement, saying the number of records exposed requires an unprecedented, large-scale response by the state. "We are taking immediate steps to protect the taxpayers of South Carolina, including providing one year of credit monitoring and identity protection to those affected," she said.
Cheek said she didn't know how much the breach would cost the state once it adds up the expenses associated with monitoring and identity protection for taxpayers, as well as investigating and remediating the attack.