South Carolinians will start receiving notification letters next week if their personal financial data was stolen in the massive cyber-attack at the S.C. Department of Revenue, Gov. Nikki Haley said Thursday.
Hackers took Social Security numbers and other sensitive information belonging to 3.8 million taxpayers with 1.9 million dependents, as well as nearly 700,000 businesses, in mid-September. The hacking is thought to be the largest-ever nationwide at a state agency.
The notification letters also will inform 3.3 million taxpayers whose bank account numbers were part of the theft.
S.C. banks and credit unions learned which accounts were involved in the breach this week and have stated flagging those accounts to monitor possible suspicious activity, said Fred Green, president of the S.C. Bankers Association.
In addition, the trade group is setting up an early-warning network so banks can share news about thieves attempting to steal money from accounts compromised in the hacking.
The breach notification letters that Haley announced on a radio show Thursday will tell taxpayers who want to know for sure, six weeks after the state made the thefts public, if their information was taken.
Hackers stole data only from tax returns filed electronically, the governor has said. The records stolen date back to 1998.
Banks learned which accounts were involved in the breach this week as part of a court order issued after a "friendly" lawsuit allowed the Revenue Department to share the data, Green said.
With their planned early-warning network, banks will report incidents that will trigger notices to be sent to the state's 80 banks, he said. The state's 80 credit unions will be invited to join the network.
The association plans to have the network operating by the end of the month. Banks cannot charge customers a fee for the new security, Green said.
Concerned customers can change their bank account numbers, but Green said they should weigh the inconvenience. Changing account numbers means new checks and debit cards, and switching auto-payment and direct-deposit requests.
"The best defense is looking at your statement and if you see anything unauthorized, call your bank," Green said.
Banks must replace fraudulent withdrawals if customers find problems within 60 days after receiving a statement, Green said.
In other developments:
South Carolina's $12 million deal with Experian to offer a year of credit monitoring at no cost to individual taxpayers gives lifetime fraud resolution for adults but not children, who are covered for just a year. Experian will extend the coverage for children at a cost of $20 a month.
To fill that hole, the San Diego-based Identity Theft Resource Center has talked with state officials about offering its free fraud resolution services to S.C. residents. The group relies on outside funding but has not asked South Carolina for money, center president Eva Velasquez said.