10/26/2012 South Carolina Department of Revenue

A government in Columbia, South Carolina
6,400,000 accounts compromised
South Carolina Department of Revenue’s website was hacked by a foreign hacker. The hack most likely began on August 27, was discovered on October 10, and was neutralized on October 20. Around 3.6 million Social Security numbers and 387,999 credit card and debit card numbers were exposed. A total of 16,000 payment card numbers were not encrypted. Citizens concerned about exposure may visit protectmyid.com/scdor and enter the code SCDOR123 or call 1-866-578-5422.
UPDATE (10/31/2012): Tax records dating back to 1998 were exposed. A lawsuit alleging that South Carolina failed to protect citizens of South Carolina and failed to disclose the breach quickly enough was announced on October 31.
UPDATE (11/05/2012): Trustwave was named as the data security contractor who handled the South Carolina website and added to the group being sued over the breach. Trustwave is an international company based in Chicago.
UPDATE (11/15/2012): Over 4.5 million consumers and businesses may have had their tax records stolen by hackers. It appears that Trustwave focused on helping the Southern Carolina Department of Revenue comply with regulations regarding how credit card information is handled. Neither Trustwave nor the Southern Carolina Department of Revenue detected the breach.
UPDATE (11/29/2012): The total number of people or businesses affected was updated to 6.4 million. Approximately 3.8 million taxpayers and 1.9 million of their dependents had their information exposed. Additionally, 3.3 million tax payers had bank account information obtained. It is unclear how much overlap there is between the 3.8 million taxpayers and the 3.3 million tax payers who had bank account information obtained.
UPDATE (01/11/2013): A State IT division director reported that the SCDOR’s former chief information officer and current computer security chief were notified on August 13 that 22 computers were infected with malicious code. The State’s division of IT recommended that passwords be reset after the discovery, but they were not reset.
UPDATE (03/01/2013): A lawsuit brought against TrustWave and SCDOR by a former state senator has been dismissed by a judge. The former senator accused the agencies of conspiring to hide the fact that a massive breach had occurred and failing to adequately protect taxpayers from a potential hack.
UPDATE (04/02/2013): About 1,448,798 people signed up for free individual credit monitoring and 41,446 signed up for free family credit monitoring.
UPDATE (10/25/2013): It is estimated that South Carolina taxpayers will pay at least $8.5 million to pay for one year’s worth of free credit monitoring to those affected by the data breach. Over 650,000 businesses had their tax information exposed.


Return to 2012 details page
Year links page
Return to References page

Visit Us On FacebookVisit Us On Twitter