Officials in South Carolina have had a busy month. On Oct. 26, Gov. Nikki Haley announced a data breach that data security experts said could lead to widespread bank fraud, identity theft, bogus tax refunds and fraudulent loans. The breach, initiated in August and discovered on Oct. 10, is being blamed on overseas hackers. Personal information for 3.6 million taxpayers was leaked from the state's Department of Revenue.
“This is about the worst you can get,” said Avivah Litan, an identity theft analyst with Gartner, Thestate.com reported. Not only were residents upset about the data leak, they were also upset by the 16-day delay from when the leak was discovered and reported. “Two weeks is an eternity for the bad guys to have this information,” said Forrester Research Analyst Rick Holland. “It’s important to act as soon as possible.”
The leaked data, which dates back as far as 1998, includes unencrypted social security numbers and 387,000 credit and debit card numbers. Officials said they didn't know exactly what information was taken or if the perpetrators of the attack accessed other information. “To tell you now would be guessing,” Haley said in a press briefing.
About 455,000 people called the state's credit protection hotline during the weekend after the announcement. The governor's office announced on Oct. 30 that fraud protection services would be available to affected residents through Experian's ProtectMyID program. The governor's office has not announced how much the breach will cost, but If every taxpayer registers with the service, fraud prevention will cost the state at least $29 million.
There has been no explanation as to why the state did not encrypt its data, although Gov. Haley did state that encrypting data is complicated and cumbersome. The state has now begun a two to three month project to encrypt revenue department data.