COLUMBIA — A hacker broke into the South Carolina Department of Revenue computer files and gained access to about 3.6 million tax returns, state and federal officials said Friday.
A somber Gov. Nikki Haley said the hacked files included state returns submitted since 1998 with unencrypted Social Security numbers. There also were about 387,000 credit and debit card numbers, of which 16,000 were unencrypted.
Officials said people whose information has been compromised will get a free year of identity protection service provided by Experian and paid for by the state. It wasn’t clear how much that would cost the state.
State Law Enforcement Division Chief Mark Keel said state officials were made aware of the problem Oct. 10 by the U.S. Secret Service. He said the hacker might have gotten into the files, stored in a computer in Columbia, as early as late August.
“In the past two weeks, state and federal law enforcement along with the Department of Revenue have come together and done everything they need to make sure those holes have been plugged and we no longer have any holes we are aware of at this point,” Haley said. “I have made it very clear to my chief I want this person slammed against the wall.”
Officials say the breach was completely closed by Oct. 20. They said they don’t believe there was much additional damage after the problem was discovered.
They said the hacker’s computer had an international IP address, but they would not say which country. Officials said not all the tax information was extracted from the system.
“Our state will respond with a big, large-scale plan that is somewhat unprecedented to take care of this problem,” Haley said.
Anyone who filed a South Carolina tax return from 1998 onward is being asked to call (866) 578-5422.
Haley was asked why state officials waited weeks to notify the public.
“This is the difference between finding the person and finding how they did it,” she said. “We needed to find out how they did it, and we needed to find out everybody involved and the only way to do that was to allow them to go through the process they have gone through.”
Keel would not say whether authorities have identified a suspect. He said the criminal investigation goes on.
On Friday, the governor asked state Inspector General Patrick Maley to review cybersecurity for all state agencies and make recommendations for improvement.
Earlier this year, the personal information of 228,000 Medicaid patients was stolen in South Carolina and a former Department of Health and Human Services project manager was arrested.
“These are two totally different situations,” Haley said. “That was somebody within the agency that had been part of the problem.”
The Secret Service’s electronic crimes task force works nationwide, said Mark Williams, the Secret Service agent in charge for South Carolina.
He said the South Carolina case was one of the largest the agency had handled.