A foreign hacker stole confidential S.C. tax records of 4.25 million individuals and businesses. Anyone who filed a state tax return since 1998 is subject to theft of all information contained on their tax returns including Social Security numbers, bank account numbers, and credit card numbers. Approximately 387,000 credit card numbers were stolen of which 16,000 were unencrypted.
The state of South Carolina has responded with the following plan of action:
All tax return data is now being encrypted and they are considering not holding tax data for such a long period of time.
SC taxpayers and their children who were victims of the data breach will receive a year of free credit monitoring and up to $2M in insurance and free lifetime credit fraud resolution through Experian. The cost of a lifetime fraud resolution through Experian is $12 million. The annual cost of credit monitoring to the state of S.C. is $8.00 a person, or $28.8 million if all 3.6 million taxpayers affected sign up for the service.
After the one year of free credit monitoring expires, taxpayers may be able to renew at a cost of $160 to $240 per year.
Credit monitoring will not prevent ID theft but will alert taxpayers sooner if ID theft has occurred. Credit monitoring will inform taxpayers of newly opened accounts, credit inquiries, and bill delinquencies at all three of the major credit reporting agencies: Experian, Equifax, and TransUnion.
An IT consulting firm, Mandiant, has been hired a cost of $125,000 to repair data-technology gaps and to install additional security measures.
The law firm, Nelson Mullins, has been hired to assess liability issues.
In the meantime, an attorney has filed a class action lawsuit on behalf of all affected taxpayers asking for $1000 per taxpayer alleging negligence in failure to timely notify taxpayers of the breach and in failing to secure the confidential data.
Apparently, like many states, the SC Department of revenue did not encrypt the confidential information. According to sources, the hacker “got into the conversation” on the communication system used by revenue department officers across the state and was able to obtain a user name and password. The data breach occurred in September but was not reported for some time as the department attempted to catch the crook and close the security breach.
Just another example of why business and governmental entities should carry Cyber Liability insurance.