How hackers stole South Carolinians' tax-return data

info@islandpacket.comNovember 22, 2012 


  • By the numbers

    4: S.C. Department of Revenue employee accounts used in the hacking

    4: Internet addresses the hackers used

    12: Times between Aug. 27 and Oct. 17 that the department computer system was accessed

    33: Pieces of malicious software and utilities used

    44: Revenue department systems attacked

    74.7: Gigabytes of data taken

    Source: The (Columbia) State

  • Protect yourself

    Anyone who has filed a South Carolina tax return since 1998 is being urged to call 866-578-5422 to enroll in a consumer protection service at

Over two months, hackers managed to gain access to the S.C. Department of Revenue computers and steal state tax data belonging to 6.4 million consumers and businesses.

Mandiant, a Washington computer forensics firm hired by the state to investigate the incident, offered these details of how the hacking unfolded:

Aug. 13: Hackers send emails to several department employees with a link that contained malware. One employee clicks on the link unleashing a program that likely steals that person's username and password.

Aug. 27 and 29, Sept. 1-4 and Sept. 11: Hackers log into the department remotely and introduce more programs to help in their theft. They try to steal all the department passwords but use those from three additional employees, including some who have wide access to the computer system. The hackers install a backdoor and perform reconnaissance into department servers and the system that handles credit-card payments.

Sept. 12: Hackers copy and create 23 database backup files and leave them in a directory.

Sept. 13-14: The databases are compressed into 14 smaller files and moved onto Internet. A 15th compressed file has an encrypted version of the department's data encryption key. The hackers delete the copies left on department computers.

Oct. 17: A week after the Secret Service informs the state about the breach, investigators find the back door when the hackers check their connection to a department server.

Oct. 19-20: The security holes are closed. Investigators report no sign that the hackers have tried to pry into the system since.

The Island Packet is pleased to provide this opportunity to share information, experiences and observations about what's in the news. Some of the comments may be reprinted elsewhere in the site or in the newspaper. We encourage lively, open debate on the issues of the day, and ask that you refrain from profanity, hate speech, personal comments and remarks that are off point. Thank you for taking the time to offer your thoughts.

Commenting FAQs | Terms of Service