Hacker swipes 3.6 million Social Security numbers

Gannett

• FILED UNDER

A foreign hacker stole a vast database of the South Carolina Department of Revenue and investigators told GreenvilleOnline.com that 387,000 credit card numbers and 3.6 million Social Security numbers have been exposed.

In exclusive interviews with Gannett's GreenvilleOnline.com and WLTX television of Columbia, which was first alerted to the breach, officials refused to say whether the database has been retrieved, calling it a "sensitive investigation."

All but 16,000 of the credit cards, officials said, were encrypted - meaning they were coded against being used by outside groups. But they said they don't know whether hackers could break the encryption.

The remaining number of credit cards are so old, investigators said, that they don't believe they are at risk of being used.

Anyone who has filed a South Carolina tax return since 1998 is immediately being asked to visit protectmyid.com/scdor or call 1-866-578-5422 to determine if their information is affected. The state will provide those affected with one year of credit monitoring and identify-theft protection, officials said.

No public funds were exposed or accessed, officials said.

Asked why they didn't notify the public, Keel said they decided to notify the public after the investigation reached a series of benchmarks. He said it was in the public's best interest that the investigation proceed further before public notification.

Investigators said they have known about the breach since Oct. 10.

The "hole" that allowed the intrusion by the hacker was sealed on Oct. 20 and they said the system is now secure.

They refused to answer the question of whether the database may have been copied.

The officials' action, however, is shrouded in mystery. SLED Chief Mark Keel and representatives of the Secret Service refused to say whether taxpayers paid a ransom to the hacker to retrieve the database.

They said in a meeting that ended minutes ago with reporters of GreenvilleOnline.com and WLTX that they have been working over the past two weeks in a secret and high-stakes investigation of the theft.

He said the banking industry was secretly notified at the beginning of the investigation as required by state law. The law also requires the public who are at risk to be notified. Keel said investigators didn't know throughout the investigation if the data was compromised.

Gov. Nikki Haley has asked the state's inspector general to examine computer security for all agencies. The Department of Revenue has hired a computer security firm - Mandiant - that that will determine what was taken, said James Etter, director of the Revenue Department.

Tim Smith, Greenville Online