COLUMBIA — The South Carolina Department of Revenue announced Friday that a cyber attack has exposed 3.6 million Social Security numbers and 387,000 credit and debit card numbers.
Of the credit cards, 16,000 are unencrypted, while the vast majority are protected.
The state is providing one year of credit monitoring and identity theft protection to anyone who has been affected.
“On Oct. 10, the S.C. Division of Information Technology informed the S.C. Department of Revenue of a potential cyber attack involving the personal information of taxpayers,” state Department of Revenue Director James Etter said in a news release Friday.
“We worked with them throughout that day to determine what may have happened and what steps to take to address the situation. We also immediately began consultations with state and federal law enforcement agencies and briefed the governor’s office.”
The agency contracted with Mandiant, an information security company, for help with the investigation, efforts to secure the system and to install tighter security.
On Oct. 16, investigators discovered two attempts to hack the system in early September, and later learned that an earlier attempt was made in late August, according to the revenue department.
The agency said Friday that two other breaches occurred in mid-September, “and to the best of the department’s knowledge, the hacker obtained data for the first time.”
“On Oct. 20, the vulnerability in the system was closed and, to the best of the department’s knowledge, secured,” according to the agency statement.
Gov. Nikki Haley said in a news release that officials are taking immediate steps to protect South Carolina taxpayers.
It’s not the first time South Carolinians’ personal information has been stolen from a state agency.
In April, the S.C. Department of Health and Human Services discovered that an employee working within the Medicaid program had moved the personal information of 228,435 Medicaid beneficiaries into his personal e-mail account.