South Carolinians are facing a perfect storm of identity theft.
The security breach into S.C. Department of Revenue tax records exposed our names, addresses, Social Security numbers, birth dates, credit and debit card numbers, and bank account and routing information. In short, everything a thief needs to steal our good names and take our money or stick us with bills for things we didn't buy.
The impact of the security breach should not be underestimated. The compromised information includes 3.6 million Social Security numbers, 387,000 credit and debit card numbers, tax records for 657,000 businesses, as well as tax filers' bank account numbers and bank routing numbers.
The records go back to 1998. Many people who no longer live or work in South Carolina also are affected.
The most frustrating aspect of this affair is how state officials have communicated what happened. We weren't told of the breach in security until 16 days after federal officials notified the state. That federal alert came nearly a month and a half after the first attempt to get into the department's records.
No one knows for sure whose information has been stolen. We were told no business information was at risk, then only a few businesses were affected, and then a staggering 657,000. To go from zero to 657,000 just made it seem worse.
We were told in quick succession that no could have prevented this from happening, that security holes had been plugged, that no one person in the department was to blame and that an employee's access code was used to get into the system.
Social Security numbers and about 16,000 credit card numbers weren't encrypted.
State officials, from Gov. Nikki Haley on down, must stop trying to downplay what happened. Excuses must stop. Simple "I don't know" answers will suffice until answers are in hand, then those answers should be forthcoming.
Officials should not exaggerate the protections offered through the credit monitoring service the state is paying for. It is only one step in many that we should take to make sure we're not victims of fraud in the coming months and years. Consumers can get one year of monitoring and insurance from Experian, paid for by the state. But individual taxpayers will have to pay to continue the coverage after one year. Consumers will have lifetime credit-fraud resolution. The cost to the state for those services has been capped at $12 million.
Businesses can sign up for lifetime record monitoring from Experian and Dun & Bradstreet Credibility Corp.
Most importantly, state officials must figure out how such a breach occurred, what went wrong, what was done that shouldn't have been done, and what wasn't done that should have been done.
Why did a security check conclude the Department of Revenue system was sound even as it was being hacked?
Should the state centralize computer operations to ensure stronger, standardized security protocols? The Revenue Department used the state Division of Information Technology's network-monitoring service at just a few work stations. It can spot viruses being installed and unusually large data uploads . The monitoring service was expanded to the entire system only after the breach.
Why didn't the department encrypt tax data, especially Social Security numbers? It's doing that now doing and says the process will take up to 90 days.
Why were the data accessible through the Internet?
What role did recent budget cuts play in the department's security decisions?
Many more questions will arise even as we get answers to these questions.
For now, we should all assume the worst about our personal information: It's been stolen and someone is up to no good with it.
We have to be vigilant in ways our state government was not.