COLUMBIA, SC (WIS/WMBF) - A state agency's website has been hacked and millions of social security numbers and credit and debit card numbers belonging to South Carolinians have been compromised.
Governor Nikki Haley, SLED Chief Mark Keel, and others gathered at SLED headquarters Friday afternoon to talk about the breach and how residents can take immediate steps to protect themselves against identity-theft.
"This is not a good day for South Carolina," said Governor Nikki Haley. "South Carolina has come under attack by an international hacker."
State officials revealed Friday that someone in a foreign country gained access to the South Carolina Department of Revenue's website and a server was breached for the first time in late August.
387,000 credit and debit card numbers and 3.6 million social security numbers, all unencrypted, have been exposed.
Of the credit cards, the vast majority are protected by strong encryption deemed sufficient under the demanding credit card industry standards to protect the data and cardholders, DOR officials said. However, approximately 16,000 were unencrypted and exposed.
Officials found out about the breach on October 10. On October 16, investigators uncovered two attempts to probe the system in early September, and later learned that a previous attempt was made on August 27.
In mid-September, two other intrusions occurred, and to the best of the department's knowledge, the hacker obtained data for the first time. No other intrusions have been uncovered.
On October 20, the vulnerability in the system was closed and, to the best of the department's knowledge, secured.
"On October 10, the SC Division of Information Technology informed the SC Department of Revenue of a potential cyber attack involving the personal information of taxpayers," said DOR Director James Etter. "We worked with them throughout that day to determine what may have happened and what steps to take to address the situation. We also immediately began consultations with state and federal law enforcement agencies and briefed the governor's office."
"When this breach occurred and it was discovered," said Keel. "it took a while for experts to determine how much data had actually been compromised.
"It was important that we had the time to work through our investigation so that we would have enough evidence to prosecute this person," said Keel.
Here's a more specific timeline from Governor Nikki Haley's office explaining exactly what happened:
- The SC Dept. of Revenue was informed by the SC Division of Information Technology (DSIT) of a potential cyber attack involving the personal information of taxpayers.
- DOR worked with DSIT throughout the day to determine what may have happened and what steps needed to be taken immediately to deal with the situation.
- DOR consulted with state and federal law enforcement agencies for guidance. Law enforcement recommended several steps to be taken, including consulting the nation's top cyber security firms.
- DOR assessed the top 3 recommendations from law enforcement and contacted Mandiant of Alexandria, VA.
- DOR contacted the Governor's office. SLED Chief Keel briefed Governor Haley.
- DOR met with the Governor's office in the morning to give her a full briefing, including laying out our 4-pronged approach:
- Contract with Mandiant, which we signed on October 12 with the approval of the Governor, to find and fix the leak;
- Conduct an internal investigation of all outside contractors and certain employees to see if they have been involved with any security breaches;
- Develop of a public notification plan; Institute additional protection tools on our system.
- DSIT began monitoring DOR and its main servers to detect any unauthorized intrusions.
- DOR made the decision that if DSIT or DOR identified any unusual exfiltrations of data, the system impacted would be shut down immediately.
- DOR signed a contract with Mandiant. Mandiant began working on plans to send surveillance and monitoring tools to be installed at DOR in SC.
- DOR worked with Mandiant to begin installing surveillance and monitoring equipment which was completely in place within 48 hours.
- DOR began daily status update calls with complete team, including representatives from law enforcement, DSIT, DOR, Mandiant- the first call was planning session.
- Mandiant began deploying a monitoring agent on every computer workstation throughout DOR, a process was completed by October 20.
- By the daily status call on Oct. 16, Mandiant was able to confirm that an unknown hacker or hackers probed the system in early September. We also learned that in mid-September, two other intrusions occurred, and to the best of our knowledge, the hacker obtained data for the first time.
- Daily team status meetings were held and systems were continuously monitored.
- Mandiant sent a four member team to begin the on-site investigation at DOR.
- DOR is still managing day-to-day business of state of SC while managing this major issue.
- DOR contacted South Carolina law firm, Nelson Mullins, about getting assistance with breach management.
- The "hole" was closed and system was secured, to the best of our current knowledge.
- We continued to monitor the system to make sure no more data was compromised.
- The number of records breached requires an unprecedented, large-scale response by the Department of Revenue, the State of South Carolina and all our citizens.
- We confirmed that NO public funds were accessed or put at risk as those servers are completely separate from those that were breached.
- However, approximately 3.6 million Social Security numbers may be affected. Approximately 387,000 credit card numbers were in the materials that were taken, but approximately 371,000 are protected by strong encryption deemed sufficient under the demanding credit card industry standards to protect the data and cardholders, and the others are dated from before 2003.
Haley said she knows where the attack came from, but would not reveal the location of the hacker so the investigation would not be put in jeopardy. "I want this person slammed against the wall," said Haley. "I want that man just brutalized."
Keel said no state funds were touched during this data breach.
"We are going to have a very strong approach to make sure that every South Carolina taxpayer is protected," said Haley. "No taxpayer should be a victim to this. We will take care of them."
If you have paid taxes in the state of South Carolina, you are urged call 1-866-578-5422 to get an activation code to use here: www.protectmyid.com/scdor to see if your information has been compromised. If so, the state will provide a year of identity-theft protection and credit monitoring free of charge.
"Whatever it takes to do this, we are going to do," said Haley on potential costs for protecting residents. "This is not going to be inexpensive."
If credit card information is compromised, the best protection is to have the bank reissue the card. Anyone who has used a credit card in a transaction with the Department of Revenue should check bank accounts regularly to see if any unauthorized charges have occurred. If so, the cardholder should contact the credit card issuer immediately by calling the toll-free number located on the back of the card or on a monthly statement, tell them what you have seen, and ask them to cancel and reissue the card.
Consumers should also change any credit card web account passwords immediately when unauthorized charges are detected.
In addition to the Experian service, state officials urged individuals to consider additional steps to protect their identity and financial information, including:
- Regularly review credit reports;
- Place fraud alerts with the three credit bureaus;
- Place a security freeze on financial and credit information with the three credit bureaus.
If you have paid taxes in the state of South Carolina, you are urged call 1-866-578-5422 to get an activation code to use here: www.protectmyid.com/scdor to see if your information has been compromised.
The call center is open 9 a.m. to 9 p.m. on Monday through Friday and 11 a.m. to 8 p.m. on Saturday and Sunday.
WMBF News Facebook fans report they're having trouble getting through to that number, and some have been put on hold for in excess of 15 minutes. Others were disconnected, told to call back, or told the office was closed.
If you are connected with someone at the Department of Revenue that can help you determine if your information was compromised, please share your experience with us by leaving a comment on our Facebook fan page.
If so, the state will provide a year of identity-theft protection and credit monitoring free of charge.