Saturday, October 27, 2012

Millions of SSNs lifted from South Carolina database

Slipshod security at the state Department of Revenue leads to a massive security breach: 3.6 million Social Security numbers are stolen. The state's population is approximately 4.7 million.

If you live in South Carolina, there's a very good chance that slipshod state government security has allowed an overseas computer criminal to acquire your Social Security number.

The South Carolina Department of Revenue acknowledged the massive electronic security breach today, saying an electronic intrusion led to 3.6 million Social Security numbers being stolen. The state's population is approximately 4.7 million.

"We are taking immediate steps to protect the taxpayers of South Carolina, including providing one year of credit monitoring and identity protection to those affected," Gov. Nikki Haley said in a statement.

Anyone who has filed a South Carolina tax return since 1998 -- including former residents who have since moved out of the state -- is being urged to call  (866) 578-5422 to enroll in a consumer protection service and visit

Social Security numbers weren't always used as taxpayer ID numbers, and it's possible that South Carolina's missteps could prompt a move to rethink their use. It wasn't until 1976, when the federal Tax Reform Act was adopted, that states began to adopt SSNs for tax and motor vehicle licensing purposes.

Employers, universities, and even some states have adopted substitutes for SSNs, which can jeopardize privacy when disclosed because they're used for authentication and as a unique identifier. The U.S. Navy is moving away from SSN use, and New York's civil service offers substitutes for people without SSNs. So, perhaps ironically, does the University of South Carolina.

A chronology of events (PDF) that the state published today says that the Department of Revenue learned of the intrusion on October 10 -- it doesn't say how, and USA Today suggested the hacker may have contacted the state demanding a ransom -- and alerted federal and state law enforcement.

On October 12, the state hired an outside consultancy, Mandiant, which determined the intruders accessed state systems in early and mid-September. It wasn't until eight days later, on October 20, that the suspected security hold was actually closed.
Approximately 387,000 credit card numbers were in the files taken, the state said. But officials claim that only 16,000 were unencrypted.