Hackers could have in their possession taxpayer information from the S.C. Department of Revenue that would allow crooks to take over bank accounts, file for bogus tax refunds or get fraudulent loans, national data security experts said Monday.
“This is about the worst you can get,” said Avivah Litan, an ID theft analyst with the information technology research group Gartner. Added Rick Holland, an analyst with Forrester Research, “If I were a resident of South Carolina, I would be pretty concerned.”
South Carolina leaders are trying to resolve a cyber attack affecting four times as many people as all previous South Carolina data breaches in the past seven years.
Officials are working on improving security, while protecting taxpayers’ credit records for free. Meanwhile, the state Senate Finance Committee has asked Revenue Department director James Etter to explain the hacking at a hearing today – just four days after the theft, from an undisclosed location overseas, became public.
“This is really a disturbing thing,” Senate Finance chairman Hugh Leatherman, R-Florence, said Monday. “Hopefully, we can put the genie back in the bottle.”
Gov. Nikki Haley and SLED Chief Mark Keel said Monday they do not know if hackers have taken additional information other than unencrypted Social Security numbers, belonging to 3.6 million S.C. taxpayers and dating back to 1998.
“To tell you now would be guessing,” Haley said.
Litan said she has never heard of Social Security numbers existing in a database without other identifying information. Tax returns include Social Security numbers, names, addresses, dates of birth and, in some cases, bank-routing numbers.
“As fraud analyst, I would be most nervous about someone having access to my tax records,” she said.
Callers flood help line
Plenty of S.C. taxpayers were nervous over the weekend, flooding lines set up by Experian, the California-based firm hired to provide ID theft protection for taxpayers. The company added operators Monday, though it still was suggesting the fastest way to register for ID theft protection was to register online. Those who need to sign up for protection can do so until Jan. 31.
The state, via Experian, is offering a year of free credit report monitoring, which can be used to help even with past problems found in credit histories. But crooks could use the stolen data for many years.
Haley hinted on Facebook on Monday the state might offer lifetime credit-report coverage. “We are working on getting you lifetime coverage,” Haley wrote. “I will be able to comment on that in (today’s) press conference.”
The state’s costs to provide the credit protection were not available Monday and will depend on how many people register, Haley said. About 455,000 people had called the state hotline by Monday morning with 154,000 people registering for credit protection.
She said the state was negotiating to offer protection at about $8 per person, which would cost the state about $29 million if every taxpayer affected registered.
Haley said the children of taxpayers, whose Social Security numbers are on tax returns as dependents, will be covered once their parents register. Business data were not compromised, the governor’s office said.
Haley said the state cannot automatically sign up taxpayers whose information has been compromised for the Experian program.
When you’re dealing with the Department of Revenue, that is confidential information,” she said. “We are not allowed to go do something for someone that may not want it.”
Haley said she had no plans to discipline anyone for the attack, which started in August but was not discovered until Oct. 10 by the Secret Service. Keel said he could not provide any more details about the hackers, citing the ongoing investigation.
“Everything we have done, up until now, has been to protect the people,” Haley said. “I trust what the Secret Service has done. I trust the chief. And because of what we have done, we have actually further protected the people.”
State Inspector General Patrick Maley said he will meet with chief information officers from state agencies this week to talk about immediate fixes needed for other security gaps in the state’s other computer systems.
“We don’t need to address medium-range solutions while there is a hole in the kite,” he said.
Cyber attacks are a concern across the country.
Just one in four state chief information security officers nationwide said they are very confident in their states’ ability to guard data against an external cyber attack, according to a survey released last week. Seven in 10 reported a breach.
The hackers have unfettered access to the S.C. data they stole since the information was not protected with encryption codes.