COLUMBIA -- As many as 657,000 S.C. businesses had their tax information stolen in the massive security breach at the state Department of Revenue that also claimed the records of up to 3.6 million people, Gov. Nikki Haley said Wednesday.
Since Friday, when they announced the hacking publicly, state officials had said that they did not think business records were exposed.
But Mandiant, a consultant hired by the S.C. Department of Revenue, found Tuesday night that business tax records had been compromised, too, Haley said. The discovery came after a two-hour Senate Finance Committee hearing, where Revenue Department director James Etter pointedly was asked whether business records also had been taken by the hackers.
State officials still are learning more about the data theft, which is affecting four times as many people as all previous breaches combined in the state over the past seven years. "It is honestly something I feel I find out by the day," Haley said.
Earlier this week - before the business breach was announced - Haley said the tax-data theft was not affecting economic-development efforts. Her office declined to elaborate on those comments Wednesday, after businesses learned their information was exposed.
State Sen. Vincent Sheheen, the Camden Democrat who ran against Haley for governor in 2010, said the state now faces another hurdle to overcome in winning businesses.
"They will want us to assure them this screw-up won't happen again," he said.
Like other S.C. taxpayers, state businesses will be able to get free credit monitoring. But companies will get longer coverage.
Businesses that have filed state taxes since 1998 can sign up for lifetime record monitoring from Experian starting today and Dun & Bradstreet starting Friday.
Consumers can get one year of monitoring and insurance from Experian, paid for by the state. However, individual taxpayers will have to pay to continue the coverage after one year. Consumers will get lifetime credit-fraud resolution as part of Experian's agreement. The cost to the state for those services has been capped at $12 million.
Dun & Bradstreet and Experian are offering business-protection services for free to South Carolina, the governor's office said.
The number of businesses and consumers affected by the tax-data theft is unknown, Haley said. But to be safe, she suggested all 657,000 businesses and 3.6 million consumers who have filed state taxes since 1998 sign up for protection.
U.S. Sen. Lindsey Graham, R-Seneca, is working with the federal Internal Revenue Service to allow businesses to change their federal tax identification numbers, which are part of the compromised tax records, Haley said.
"What I'm telling you today is what we know as of now," she said. "As (Mandiant opens) this up and as they give us information, we are staying on the very, very cautious side as opposed to saying, 'Oh, that's probably not the case.' We are actually going above and beyond."
More than 418,000 individual taxpayers had enrolled in Experian's consumer credit-monitoring service by Wednesday. About 100,000 people a day are signing up this week based on the data released by state officials.
Haley has called a Cabinet meeting today to see how various state agencies can help get out the message about the free credit-report monitoring.
Overseas hackers used state-approved credentials to enter the Revenue Department system in August and September. State officials again Wednesday declined to discuss any more details of the investigation into the hacking. That investigation is being led by the Secret Service, which told S.C. authorities about the breach on Oct. 10.
In addition to any data that can be found on a tax return, the crooks also took 387,000 credit card numbers from the Revenue Department. All but 16,000 of the credit card numbers and all of the tax data was unencrypted.
The state now is encrypting tax data.
On Wednesday, the first announced lawsuit was filed in the data-security breach.
Former state Sen. John Hawkins of Spartanburg filed the suit in Columbia. He intends the case to become a class-action lawsuit on behalf of all affected S.C. taxpayers.
The suit - filed for Phillip Morgan, a 60-year-old semi-retired factory supervisor - names Haley, Etter and the Revenue Department as defendants. Haley endorsed Hawkins' opponent in June's GOP primary, incumbent Lee Bright, for a state Senate seat in Spartanburg.
"This is like a cyber-hurricane and a Category 5," Hawkins said.
The suit claims the state could have done more to safeguard taxpayers' information and waited too long to notify the public of the breach - violations of a state law designed to protect consumers from identity theft.
South Carolina revealed the hack on Friday, 16 days after the Secret Service informed the state of the breach. Authorities said they delayed telling the public to close the security gap in the Revenue Department's computer system and to try to catch the hacker.
"This is causing a lot of unnecessary worry and heartache across South Carolina," Hawkins said.
Haley and Revenue Department director Etter should stop saying nothing could have prevented the breach, Hawkins added. "They should say what we did right and what we did wrong ... and not blame a Russian syndicate."
Haley dismissed the suit.
"There is a trial lawyer with a hand out and a tissue ready at any crisis, and he has just proven that," she said.
In other news related to the Revenue Department, the recent resignation of the agency's chief information officer was unrelated to the cyberattack, a spokeswoman said. Mike Garon resigned on Sept. 21 - nearly three weeks before the hacking was discovered, department spokeswoman Samantha Cheek said. She declined to say why Garon left the agency.