S.C. class action lawsuit calls Haley negligent in hacking case

Wednesday, Oct. 31, 2012 3:56 PM
Last updated 11:51 PM
  • Follow Crime & courts

COLUMBIA — A former state senator has filed a class-action lawsuit against Gov. Nikki Haley and the South Carolina Department of Revenue, alleging the state failed to protect residents from having their personal information exposed in a database hacking incident.



The lawsuit was filed in the Richland County Court of Common Pleas.

On Friday, Haley and other officials announced that about 3.6 million tax returns from as far back as 1998 had been exposed when a foreign hacker broke into the state system.

State and federal officials are investigating the hacking they say might have started in August and was discovered last month. They say the vulnerability in the system was fixed Oct. 20.

“I believe it might actually be the largest against a state government, but certainly of a state tax department,” said Paul Stephens, of the Privacy Rights Clearinghouse based in San Diego.

“We’ve never heard of anything like this, so I think you can say that,” said Verenda Smith, the deputy director of the National Federation of Tax Administrators.

A Senate committee met Tuesday to question the revenue department head, James Etter, and discuss solutions.

On Wednesday, former state Sen. John Hawkins’ law firm announced its class-action suit.

“This hacking amounts to a ‘cyber hurricane,’ and it’s a Category 5,” the former Republican lawmaker said in a statement.

Haley, who opposed Hawkins’ attempt this year to regain his Senate seat, discounted the lawsuit.

“There is a trial lawyer with a hand out and a tissue ready at any crisis, and he has just proven that,” the governor said.

Haley has said the hacking could not have been avoided and no state employees are facing disciplinary action.

Officials defended their decision to wait 16 days before notifying the public of the breach by saying the disclosure would have hindered the investigation.

Anyone who paid taxes in South Carolina as early as 1998 was urged to visit www.protectmyid.com/scdor to register for protection and type in SCDOR123, or call (866) 578-5422.

State officials have negotiated a contract with Experian, capped at $12 million, for credit protection. As of Wednesday, 418,000 people had enrolled in a credit monitoring service the state offers through Experian.

The 3.6 million tax returns filed since 1998 included millions of Social Security numbers and about 387,000 credit and debit card numbers that were also exposed, 6,000 of those unencrypted. Tax information from businesses across the state may also have been accessed.

BUSINESSES GET EYE ON CREDIT

Gov. Nikki Haley says up to 657,000 businesses in South Carolina have also been compromised by an international computer hacker.

Haley said Wednes­day that officials do not yet know the precise number of businesses affected or the information taken. She says the maximum figure includes duplicate filings.

The businesses affected are in addition to the up to 3.6 million Social Security numbers accessed from individual tax returns.

Haley says Dun & Bradstreet Credibility Corp. has offered to provide businesses credit monitoring at no cost to them or the state. Any business that has filed a tax return since 1998 can sign up starting at 8 a.m. Friday by visiting www.DandB.com/SC, or calling (800) 279-9881.

– Associated Press

Comments (14) Add comment
ADVISORY: Users are solely responsible for opinions they post here and for following agreed-upon rules of civility. Posts and comments do not reflect the views of this site. Posts and comments are automatically checked for inappropriate language, but readers might find some comments offensive or inaccurate. If you believe a comment violates our rules, click the "Flag as offensive" link below the comment.
Riverman1
87489
Points
Riverman1 10/31/12 - 04:12 pm
4
4
Bunch of....

What a bunch of Kricket Krap. Let the Governor do her job.

KSL
135496
Points
KSL 10/31/12 - 04:58 pm
3
1
This is serious. I was told

This is serious. I was told of someone who has already had an issue because of this.

Retired Army
17512
Points
Retired Army 10/31/12 - 05:00 pm
5
7
Riverman110/31/12 - 04:12 pm

Riverman1 posts: "What a bunch of Kricket Krap. Let the Governor do her job."

1. Maybe if she had done her job.....just sayin'

2. Wonder if that attitude would be any different if your SSN was in the hacked?

faithson
5275
Points
faithson 10/31/12 - 05:30 pm
7
2
Wonder if that attitude would

Wonder if that attitude would be any different if there were a D behind the Governor's name.

dichotomy
34720
Points
dichotomy 10/31/12 - 06:30 pm
7
2
Ambulance chaser.

How many bosses at any level KNOW FOR SURE that their networks and data are secure. It may be someone's fault. Someone might be negligent. But it sure isn't the governor. Some computer network folks ought to have to do some tall 'splainin' but even then, the BEST networks can be hacked. Should we all have sued Obama when the DOD and State Department networks were hacked? Serious stuff. Endangered people's lives. This lawsuit is ridiculous. How many times have we heard of banks and credit card companies getting hacked? And guess what? They hire the best computer security people and pay them a HECK OF A LOT more than you are paying the state employees who handle computer stuff. And the banks and credit card companies STILL get hacked. Hawkins is just another ambulance chaser looking for a percentage of a settlement.

Retired Army
17512
Points
Retired Army 10/31/12 - 07:31 pm
4
5
It's mighty funny how folks

It's mighty funny how folks label attorney's "ambulance chasers" unless of course they're the ones in the ambulance.

And, another point to ponder here, since folks want to paint this in a political light. Did ya notice that the filing attorney is a former Republican lawmaker?

And then to top it off, 16 days before 3.6 million folks of the taxpaying public were told to watch their behinds? That's attrocious and inexcusable.

OpenCurtain
10049
Points
OpenCurtain 10/31/12 - 08:39 pm
4
1
Hot Button for me

Paraphrasing "A former (loser looking for a headline) state legislator has filed a class action lawsuit (hopes to makes lots of noise) against Gov. Nikki Haley and the South Carolina Department of Revenue, alleging the state failed to protect citizens from having their personal information exposed in a database hacking incident. (He know little of the IT Security world working, but enjoys the headlines and 15 seconds of lime light that will win him brownie points and added support during his next election run.)

My background is IT Security.
I was part of a team of IT Security Consultants called the X-MIB for a company ______. I have 100's of IT Security consulting engagements behind me ranging from US DOJ, GBI, DOD Special Ops, 3 letter agencies and no letter agencies.

It is NOT the governors fault:
* a Firewall was likely bypassed,
* a Route configurations were likely modified incorrectly or compromised,
* a WiFi connect in some office might have been the cause,
* Some Bozo clicked on a spam message to telling him he won the Irish lottery, and infected his system with a new Trojan, pup or a key logger.

Yes, it was someones fault
The IT dept. who failed to run a periodic IT Vulnerability Assessment or missed the hole while doing so.

The IT Dept failed to note large data transfers outside the authorized IP address range.

Yes, it was someones fault that the database, at this point appear to be stored unencrypted or weakly encrypted at best. Or, maybe the Cyber Mob accessed the data via a compromised terminal / pc at some distance Up Country SC location that can't be tested weekly due to bandwidth issues.

Several very good SC IT Departments will be likely see some serious shake-ups in the coming months. Lots of security consultants will get to bill $185 to $400 p/hr for weeks. Secure token access will likely be recommended and implemented statewide at a large cost that the same political snipers will also whine about.

The point is, political back biting for headlines instead of helping is the wrong action at this point in time.

KSL
135496
Points
KSL 10/31/12 - 08:42 pm
2
2
RA

Why we don't wait to see if the 16 days actually harmed any SC tax return filer or if there was benefit in tracking down the perps and perhaps the government behind them?

My SS number was on all of those tax returns during that period.

I am not in panic ambulance chaser call mode.

KSL
135496
Points
KSL 10/31/12 - 09:00 pm
3
2
OpenCurtain

Thank you for your explanation, your intelligent comments, as always.

OpenCurtain
10049
Points
OpenCurtain 10/31/12 - 10:01 pm
3
0
If your privacy has been compromised and you see activity.

Quick hit list
1. contract your bank(s) and follow their recommendations.
Best done in person not by phone. Have new checks send to the bank for personal pickup.

2. contact your credit card company(s)and request a reissue and new numbers. Have your new cards sent to your bank rep. not your house mailbox.

3. File a fraud alert. (24/7)
A fraud alert is a less restrictive option and may help prevent fraud. An alert does not block potential new credit, but places a comment on your history. Creditors should contact you prior to opening a new account.

Equifax
Phone: 1-800-525-6285, https://www.alerts.equifax.com

Experian
1-888-EXPERIAN (888-397-3742), https://www.experian.com/fraud/center.html

Trans Union
1-800-680-7289, http://www.transunion.com/personal-credit/credit-disputes/fraud-alerts.page

4. Don't wait on the state to give you free credit monitoring. Sign up for the 30 days free trial offer that most companies offer. This should be enough time for SC to to reach agreements to offer the service free for XX months to those compromised.

I could type reams of notes, but just checkout:

http://www.ftc.gov/bcp/edu/microsites/idtheft/consumers/detect.html

KSL
135496
Points
KSL 10/31/12 - 10:23 pm
1
1
Open curtain

My husband doesn't, but I have an alert posted with SS on my number since the early 80's. My purse, locked in my car was stolen from a night club. Our car was broken into. A couple of years later someone tried to use my SS number to get food stamps in Aiken Co.

Oddly, DSS acknowledged, and reported to my employer the potential crime, but refused to tell me whose identity they felt they had to protect.

I wanted to file charges, but the perp' s identity was protected since the crime did not go to fruition.

OpenCurtain
10049
Points
OpenCurtain 11/01/12 - 06:52 am
2
1
KSL - speak to SLED after this cools down

Use of another persons ID even to attempt, but fail, is still a State and Federal crime.

To have used your ID was an attempt to defraud the government.
To have your SS # and use it to sign up for public assistance was perjury the second the person signed the application.

I'd being asking for the case number and a copy of the police report.
Then a request under the FOIA or thr SC version for the investigative report.

KSL
135496
Points
KSL 11/01/12 - 10:07 am
1
1
Great advice, OpenCurtain

But I doubt that DSS did anything but deny him/her foodstamps.

KSL
135496
Points
KSL 11/01/12 - 11:03 am
1
1
RA

FYI, I don't know how many people in SC have Lifelock, but I was told by the person I spoke with that she knew of no alerts that had occurred as a result of this hacking incidence.

Which is better, being able to tell people that that this has occurred, but safeguards are in place and there is a better chance of going after the people/country behind this or sending countless people into pure panic mode?

Back to Top

Top headlines

Grad rates show improvement by local school systems

Graduation rates in both Richmond and Columbia counties followed the statewide trend of slow and steady increases in 2014, although progress in individual schools varied greatly.
Search Augusta jobs