Confidential tax records of 4.25 million South Carolina individuals and businesses stolen by foreign hacker
Any South Carolinians who filed state tax returns since 1998 risk the theft of all information contained on their tax returns including Social Security, bank account and credit card numbers. Approximately 387,000 credit card numbers were stolen of which 16,000 were unencrypted.
The state of South Carolina has responded with the following plan of action:
- All tax return data is now being encrypted and consideration is being given to not holding tax data for such a long period of time.
- SC taxpayers and their children who were victims of the data breach will receive a year of free credit monitoring and up to $2 million in insurance and free lifetime credit fraud resolution through Experian. The cost of a lifetime fraud resolution through Experian is $12 million. The annual cost of credit monitoring to the state of S.C. is $8.00 a person, or $28.8 million if all 3.6 million taxpayers affected sign up for the service.
- After the one year of free credit monitoring expires, taxpayers may be able to renew at a cost of $160 to $240 per year.
- Credit monitoring will not prevent ID theft but will alert taxpayers sooner if ID theft has occurred. Credit monitoring will inform taxpayers of newly opened accounts, credit inquiries, and bill delinquencies at all three of the major credit reporting agencies: Experian, Equifax, and TransUnion.
- The IT consulting firm Mandiant has been hired a cost of $125,000 to repair data-technology gaps and to install additional security measures.
- The Nelson Mullins law firm has been hired to assess liability issues.
What went wrong
Apparently, like many states, the SC Department of revenue did not encrypt the confidential information. According to sources, the hacker “got into the conversation” on the communication system used by revenue department officers across the state and was able to obtain a user name and password. The data breach occurred in September but was not reported for some time as the department attempted to catch the crook and close the security breach.
The fallout begins
In the meantime, an attorney has filed a class action lawsuit on behalf of all affected taxpayers asking for $1000 per taxpayer alleging negligence in failure to timely notify taxpayers of the breach and in failing to secure the confidential data.
This incident is just another example of why business and governmental entities should carry Cyber Liability insurance.