With all of the news and focus on hurricane Sandy, you may have missed this news item. On Friday October 26, the South Carolina Department of Revenue (DOR) announced a data breach where a hacker accessed and stole information affecting 3.6 million consumers, or about 77% of the state's population. The breach victims include consumers who have filed a state tax return since 1998.
The data stolen included 3.6 million Social Security numbers, and 387,000 debit- and credit-card numbers. All except 16,000 credit card numbers were encrypted. None of the Social Security numbers were encrypted.
On October 10, the state's Division of Information Technology informed the DOR of a "potential cyber attack." With the recommendation of law enforcement, the DOR contracted with Mandiant, an information security company, to help with the breach investigation, secure the computer system, and install new equipment and software for stronger protections.
On October 16, breach investigators discovered two breaches during September and one during August. On October 20, weaknesses in the state's computer systems were closed. The state has arranged for one year of free credit monitoring and fraud resolution services with Experian ProtectMyID. Affected consumers should contact ProtectMyID online or via phone (1- 866-578-5422) to see if there personal information was stolen.
By Monday October 29, about 455,000 consumers had called Experian, and about 154,000 had signed up for the ProtectMyID service. However, there have been problems and criticism of the state's response to the data breach. The complaints by consumers trying to call Experian (to see if their information was stolen) included busy phone signals, recordings, no answer, and long waits on hold.
Callers who got through successfully to Experian received a code so they could sign up online for ProtectMyID. At a Monday October 29 press conference, South Carolina Governor Nikki Haley announced the code so breach victims could sign up online for the ProtectMyID service.
If you were affected by the South Carolina data breach, please share your opinions about the state's response or the ProtectMyID service.