“This is not a good day for South Carolina,” is how Gov. Nikki Haley began a Friday afternoon press conference with other state officials at SLED offices in Columbia.
“The state of South Carolina has come under attack by an international hacker,” Haley said before explaining that 3.6 million Social Security numbers had been stolen and 387,000 credit/debit cards were exposed when a vast database maintained by the SC Department of Revenue was hacked into.
Watch the video of Haley's press conference HERE.
Haley would not go so far as to call the security breach an act of terrorism, but did say it was international in nature. She did little to conceal her anger, saying she’d like the perpetrator(s) “slammed against a wall” or that she’d like to “kick him.”
Also at the press conference were SLED Chief Mark Keel, Mike Williams of the United States Secret Service, Jim Etter, Director of the South Carolina Department of Revenue (DOR) and Inspector General Patrick Maley.
Earlier in the day, WLTX reported the security breach but Haley said that report had nothing to do with timing of announcement, which came more than two weeks after officials realized a breach had occurred.
Williams said the Secret Service learned of the breach on Oct. 10 and began informing the state’s 16 agencies. Williams explained that officials could not go public with the breach because it had to achieve a number of “benchmarks” before doing so. Williams was not at liberty to explain what those benchmarks are.
Keel said the banking industry was secretly notified at the beginning of the investigation as required by state law, according to a Greenville News report Friday. The law also requires the public who are at risk to be notified. Keel told the paper investigators didn’t know throughout the investigation if the data had been compromised.
The breach and data theft was reportedly discovered by the U.S. Secret Service on Oct. 10, officials said, but the first intrusion began in August. The data was stolen in September, officials told the paper.
Reportedly, none of the Social Security numbers were encrypted and officials said they are studying whether they can do that. However, said the paper, all but 16,000 credit card numbers were encrypted, a process designed to thwart identity thieves and data theft.
View a chronology of the security breach HERE.
Ironically, from the time the breach occurred to the time it was announced, Haley completed a review of nine state agencies and found them “in...compliance with sound computer security practices" according to WLTX.
In response to the attack, Haley issued an executive order mandating a review of the information security systems of all of the state’s agencies (see attached).
Due to the investigation’s status as ongoing, Williams and Keel also could not say if the hacker had targeted South Carolina specifically or if it was part of a larger plot. The officials also would not say if the hacker was an individual or a group, though Haley referred to the hacker as “him” throughout the press conference.
The state also created a helpline (1-866-578-5422) and website (protectmyid.com/scdor) for residents. Anyone who has paid taxes in the state of South Carolina since 1998 is urged to call the phone number. After calling the number, anyone affected by the breach will be given a code to enter upon visiting the website.
The state will provide those affected with one year of credit monitoring and identify-theft protection free of charge. The cost for this was not provided.
The breach, which was described by Williams as among the largest he’d seen, comes on the heels of several other cracks in the cyber security wall in the past year, one of which occurred when a state employee transferred confidential Medicaid data to his personal email account last April. And in August more than 30,000 University of South Carolina students had their confidential information compromised by an overseas hacker.
Officials said they do not believe this attack is related to any previous ones.