South Carolina taxpayer server hacked, 3.6 million Social Security numbers compromised
October 26th, 2012
07:56 PM ET

South Carolina taxpayer server hacked, 3.6 million Social Security numbers compromised

The Social Security numbers of millions of South Carolinians, as well as credit and debit card information for hundreds of thousands, have been hacked in what the state's governor described Friday as an international cyberattack.

"This is not a good day for South Carolina," Gov. Nikki Haley told reporters.

The governor explained that a "server that warehouses all our taxpayer information was breached and taxpayer information was stolen."

The state's Department of Revenue explained in a press release that it first learned of a possible breach on October 10, after which the state contracted information security firm Mandiant to conduct an investigation.

The "hole" in the system was closed October 20. Over the next several days, state authorities determined that more than 3.6 million Social Security numbers may have been affected. So, too, were 387,000 credit card numbers - though only 16,000 of those were unencrypted.

On Friday, state officials laid out efforts to determine what happened and protect the personal information of taxpayers. While noting that not everyone had their information breached, Haley urged everyone who filed a tax return in South Carolina from 1998 through now to take advantage of credit protection services being offered by the state.

"While we now have it protected, we want to make sure that everybody understands that our state will respond with a big, large-scale plan that is somewhat unprecedented to take care of this problem," the governor said.

soundoff (340 Responses)
  1. john/kc

    We aren't supposed to worry about our social security or credit information being hacked. We must worry about the real important stuff, like stopping contraception, keeping gays from getting married, cutting taxes for the top 1% and eliminating medicare, medicaid and social security for the old and poor.

    October 27, 2012 at 4:25 pm | Report abuse |
  2. EKIA

    We should trust the government with our health care funding too. They are sooooo competent.

    October 27, 2012 at 4:39 pm | Report abuse |
  3. WA_ST_DEM

    "ONLY 16,000" were unencrypted......"only"......

    If you are one of the 16,000, "only" doesn't matter much........

    October 27, 2012 at 5:00 pm | Report abuse |
  4. Dan

    The real flaw is in a financial system that lets anyone do anything merely by knowing someone's SSN.

    Until we address this, these thefts will continue to plague us, and we will continue to work on securing the wrong part of the system.

    October 27, 2012 at 5:17 pm | Report abuse |
    • lerianis

      Eh? Our financial system doesn't let anyone do anything solely by knowing someone's SSN. In fact, more and more places are asking for other forms of identification. Such as when I applied for a credit card recently, they called my home to talk with me before letting the application go through.
      Even though I did it at a bank in person.

      October 27, 2012 at 5:19 pm | Report abuse |
  5. lerianis

    Now THIS is something that should not have happened, to be blunt. Social Security servers should be so locked down and monitored that it is near impossible for someone to hack into them.

    October 27, 2012 at 5:17 pm | Report abuse |
  6. OCJohn

    There is only 1 safe place for your SS#, between your ears. Anyone without brains enough to memorize that # and not put it out there just 'cause a form says "put it here" deserves the consequences. Since I gave an imaginary # to our beloved DMV (Department of Motor Vehicles), I may have a problem renewing my license, but I don't have to worry about 'til 10-14. If you give phony #s, hackers can't profitfrom them. Strange I've never seen this advocated before. Maybe it makes too much sense!

    October 27, 2012 at 6:16 pm | Report abuse |
    • 1olddude

      Good grief, John, Read the article instead of every 7th word.

      October 27, 2012 at 6:57 pm | Report abuse |
    • Coeus

      That's just plain ignorant, irresponsible, and is quite a criminal act... And when your "made up fake number" turns out to be some poor guy who never had his number out there and some ID thief who never would have come across him milks his credit for everything it's worth, what are YOU going to do to help him? All you're advocating is "I'm going to make it someone else's problem." Real nice...

      October 27, 2012 at 8:38 pm | Report abuse |
  7. Sal

    The secessionist state deserves it! 

    October 27, 2012 at 7:05 pm | Report abuse |
  8. Bill

    I'll wait until after the election before I worry. After all, if Romney wins, social security will be worthless.

    October 27, 2012 at 7:17 pm | Report abuse |
  9. Rick

    They still don't get it do they? Do what a lot of the major companys have done, HIRE THE HACKERS!!!!!!!!!

    October 27, 2012 at 7:19 pm | Report abuse |
    • William

      It's ultimately what happens in a lot of cases (which, of course, is the smart thing to do)- but you need to be careful not to "incentivize" illegal acts of cyberhacking... i.e. rewarding those hackers with a cushy job who put national security at risk.

      October 27, 2012 at 7:33 pm | Report abuse |
  10. LSinSC

    Our distinguished governor says she wants the hacker "slammed against the wall" and "brutalized". Accept some responsibility here, Nikki!!! Who's fault is it that security wasn't in place to begin with?

    October 27, 2012 at 8:10 pm | Report abuse |
    • KristinaKaye

      The hacker/hackers are not quilty at all per your reasoning? The caretakers will ALWAYS be outclassed by someone somewher sometime! But to NOT CRUCIFY the hackers is something I don't understand with your logic!

      October 27, 2012 at 9:30 pm | Report abuse |
    • dennis

      Exactly, they have only one important job and they don't take it serious.

      October 27, 2012 at 9:44 pm | Report abuse |
    • 66Biker

      You do realize of course, that no matter what kind of website security there is, a website can STILL be hacked. It's like I always say...

      "There is no such thing as a 100% Secure Website."

      I had a discussion about website security with my banker one day when he tried to convince me that the bank's website was "100% Secure". And since then whenever this subject comes up I ask people the same questions I asked him:

      "Who do you think has the most secure websites in the world?"

      His answer was "The US Government". And that is the most logical choice, don't you think? After all, the Internet is what used to be ARPANet, the former US Department of Defense computer network. It makes sense that the government, with all of it's vast resources, would be able to prevent hackers from hacking government websites. But thus far that has not happened. Several of the major federal websites have been hacked many times. The White House, the Central Intelligence Agency, the Federal Bureau of Investigation, the Department Of Justice, the Department of the Interior, etc., have ALL been hacked. There have been many reports about this since the Internet was made publicly available in the early 1990's, carried by all the major news services. And that leads up to the next logical question...

      "If the US Government can't stop hackers with all of their technical expertise, manpower, and resources, what makes you think that YOU can?"

      What could he say? The fact is that all those websites are far more secure than his bank ever thought of being, and he could not dispute the reality of the situation. So once again I told him, "There is no such thing as a 100% Secure website." After thinking about it for a moment or two he had to agree... Now don't you think that if the Feds can't do it, that it's only logical that the State of South Carolina can't do it either? So no, it isn't the Governor's fault.

      October 27, 2012 at 11:58 pm | Report abuse |
    • Hugo

      66Biker, just because a website can be hacked is no excuse for weak security. 16,000 credit card numbers weren't encrypted to PCI DSS standards. None of the SS numbers were encryped. This is failure to comply with standards cannot be excused.

      October 28, 2012 at 12:36 am | Report abuse |
    • 66Biker

      Hugo,

      I have two questions for you:

      1: Do you work for the State of South Carolina in their Computer Data Center?

      2: Do you have any evidence to substantiate the statements you've made?

      If the answers to those questions are no and no, you're speculating and to be blunt about it, you don't know what you're talking about. The article does not say what kind of security they have, and unless you work there and have personal knowledge of it, you can't possibly know what it is, or how good it is isn't. And even if you do work there and know about the security, if you have no proof, what good is it?

      October 28, 2012 at 12:50 am | Report abuse |
    • vowelmovement

      obama would have blamed a video and then cover it up with lies

      October 28, 2012 at 1:57 am | Report abuse |
    • Nate

      It sounds like you think the number one job of a governor is to be an IT professional. In that case, why don't you elect one?

      October 28, 2012 at 6:07 am | Report abuse |
  11. Teri Osborn

    So scary!

    October 27, 2012 at 8:44 pm | Report abuse |
  12. A Citizen

    I am terrified of our new "paperless" society. It is not the be all, end all, that it is reported to be. I have clients that had their SS #'s stolen, info from local law enforcement forwarded to IRS and for going on 3 years, the IRS is still dunning one college student for $11,000 they say she owes in back taxes....her real refund that year was $87, which she has never received. The gov is being bled dry by scammers of the tax system, Medicare fraud is in the billions, tell me where we are so safe. We just keep pouring money on the problem and we keep losing ground.

    October 27, 2012 at 9:21 pm | Report abuse |
    • Steve Lyons

      If we stop collecting income taxes and eliminate the need to issue refunds, the criminals would not have access to "free money". Government needs to collect fees for specific services that in turn cover the real costs of government, not bilk taxpayers out of trillions every year only to refund it to illegal immigrants and other criminals that have figured out how to game the system.

      It is real simple to apply for multiple taxpayer ID numbers, create the needed fictional paper trail of withholding taxes paid in a given year, then file a fraudulent 1040 to get a "refund" of non-existent money, then repeat the process the following year with all new numbers.

      This alone is reason to repeal the 16th Amendment.

      October 28, 2012 at 12:07 am | Report abuse |
  13. ricardo1968

    I bet that if you made up 3 million random social security numbers, a very large number of them would be valid. Its not a terribly secure system in the first place.

    October 27, 2012 at 10:31 pm | Report abuse |
    • Robert

      They are useless unless matched with names.

      October 28, 2012 at 12:44 am | Report abuse |
    • Scruff

      The governor explained that a "server that warehouses ALL OUR TAXPAYER INFORMATION was breached and taxpayer information was stolen."

      Pretty sure they got some names also.

      October 28, 2012 at 4:50 am | Report abuse |
  14. Ron

    So South Carolina offers credit protection services. I assume they want your SSN and credit card number? Well that worked so good in the past, I'll just jump right in (ARE YOU KIDDING ME?).

    October 27, 2012 at 10:33 pm | Report abuse |
  15. GenXcynic

    We have taken the SSN way too far, well beyond its intended purpose. A new system is needed. Of course, that too will be over-used and hacked as well...

    October 27, 2012 at 11:42 pm | Report abuse |
1 2 3 4 5 6 7 8 9 10 11 12 13