Hacker swipes 3.6M Social Security numbers, other data

Tim Smith, The Greenville (S.C.) News
11:06PM EDT October 26. 2012

COLUMBIA, S.C. -- By the time the computer crimes office of the U.S. Secret Service discovered a problem Oct. 10, a foreign hacker had taken a database from the Department of Revenue's computers exposing 3.6 million Social Security numbers and 387,000 credit and debit card numbers, one of the largest computer breaches in the state or nation.

The breathtaking breach has launched a high-stakes international criminal investigation and prompted South Carolina Gov. Nikki Haley, whose administration had another massive theft of confidential information at another cabinet agency earlier this year, to order an assessment of all the state's computer systems.

Many questions remain unanswered. Officials are still unsure the state's system is entirely buttoned up. And investigators and the governor declined to answer any substantive questions about the investigation -- including whether the database may have been copied and whether taxpayers paid a ransom to the hacker to retrieve it.

Haley administration officials, the State Law Enforcement Division and the Secret Service disclosed the breach publicly Friday, raising questions about why officials kept it shrouded in secrecy while the records of millions of the state's residents were nakedly exposed, and whether the system was now secure and whether taxpayers remain at risk.

The breach, officials said, potentially affects anyone who has filed a South Carolina tax return since 1998. Even weeks into the investigation and during Friday's public unveiling of it, law enforcement investigators and Haley administration officials couldn't say who, or precisely how many, are at risk of having their identities stolen.

All but 16,000 of the credit and debit cards, officials said, were encrypted -- meaning they were coded against being used by outside groups. But they said they don't know whether hackers could break the encryption. The remaining credit cards are so old, investigators said, that they don't believe they are at risk of being used.

None of the Social Security numbers were encrypted and officials said they are studying whether they can do that -- raising other questions about whether safeguards exist that weren't used.



Residents shocked

"South Carolina has come under attack but South Carolina is going to fight back in every way possible to make sure every taxpayer is taken care of," said Haley.

Taxpayers will bear the cost of fighting back. The state government is paying for the cost of the credit-protection service for millions of residents and the burden to taxpayers couldn't be determined by GreenvilleOnline.com on Friday.

Reactions from taxpayers ranged from shock and concern to resigned eye-rolling about their government in Columbia. Some residents expressed doubt about whether state government is taking enough steps to safeguard sensitive personal information.

"It makes me question the state and how it was securing that kind of information," said Misha Morris, a recent Clemson graduate and Seneca, S.C., resident. "It's scary."

Officials refused to go into details of what they have so far discovered about how the breach occurred and who was behind it, but said the August intrusion was basically a scouting mission by the hacker.

"To the best of our knowledge, it was kind of a look-see, what's here," said James Etter, director of the Department of Revenue. "They were not doing anything with the data in August. They got in, 'Now, let's see what we've got.' "

Three more breaches followed -- the first, another "browse" on Sept. 3, Etter said, and then two more, concluding with the data theft on Sept. 13, Etter said.

Authorities somehow discovered the intrusions on Oct. 10. A Secret Service agent, Mike Williams, said the agency's computer crimes office first uncovered the intrusion and notified state authorities.

The Department of Revenue contacted a computer security firm recommended by the Secret Service -- Mandiant -- to "find and fix the leak."

Outside experts

Mandiant continues to work to determine what exactly was taken and whether numbers were stolen or just exposed.

"We're making great progress," said Marshall Heilman, director of the firm. "Those investigations are measured in weeks and months, not hours and days."

State Law Enforcement Division Chief Mark Keel and the Secret Service's Williams refused to answer questions about the investigation in an exclusive interview with Gannett Co. Inc.'s GreenvilleOnline.com and WLTX in Columbia, which first received a tip about the breach, including the country where they believe the hacker resides.

"It would be inappropriate for me to comment," Keel said. "We have a very sensitive investigation. Obviously, we are making every effort that we can to bring someone to justice for this breach. And it would be inappropriate for me to comment any further."

Public kept in the dark

Asked why they didn't notify the public, Keel and Williams said they decided to notify the public after the investigation reached a series of "benchmarks." They said it was in the public's best interest that the investigation proceed further before public notification.

"We believed that during the course of the investigation that there were these benchmarks that if we could reach, we would do a better job of trying to protect the public," Keel said, declining to explain what the benchmarks were.

South Carolina, like many states, doesn't operate a centrally controlled system. Instead, most of the 100 boards, agencies, universities and commissions operate their own systems that officials say complicates security measures.

Taxpayers are being asked to call 1-866-578-5422 to determine whether their information is affected. The state will provide those affected with one year of credit monitoring and identify-theft protection, officials said.

Greenville, S.C., resident Ashley Reynolds said she was relieved to hear about the credit monitoring and identity-theft protection being offered.

"It makes you sick. You just hear nightmares of people trying to recover from identity theft," she said. "It can be years of trying to reclaim your good status."

Hacker swipes 3.6M Social Security numbers, other data