Security breach will haunt SC for decades to come

South Carolina officials are only beginning to grapple with the magnitude of the problems created by the security breach last fall at the Department of Revenue.

The ramifications of the theft of critical identifying information for millions of people will be with us for decades. There is no one-year or 10-year timeline for addressing them. "This is going to be a lifetime issue for everyone," said state Sen. Kevin Bryant, R-Anderson, who led the Senate panel that investigated the hacking. "The infant on a parent's tax return may live to be 90 years old."

Senate Finance Committee Chairman Hugh Leatherman warns that resolving the issues resulting from the hacking and preventing future attacks could cost the state "hundreds of millions" of dollars.

How big was this breach? The preamble to a Senate bill addressing it starts with this chilling description: "Between Aug. 13, 2012, and Sept. 15, 2012, a cyber criminal gained unprecedented access to 44 South Carolina Department of Revenue computer systems, utilizing 33 unique and undetected pieces of malicious software, leading to the ultimate theft of more than 6 million of the state's taxpayers' most sensitive pieces of personal identifying information that were not encrypted, including Social Security numbers, bank account information and credit card numbers."

The state started with an offer of one year of free credit monitoring. Of the 6.4 million individuals and businesses affected by the breach, only about a third have signed up for this minimal protection. The deadline is March 31.

The Senate bill, which the Senate Finance Committee approved this past week, offers 10 years of credit fraud protection. It also would allow taxpayers to purchase their own identify-theft protection and get a tax credit of $300 for individual filers and $1,000 for joint filers.

That's fine if you pay income taxes in South Carolina. But what if you have already moved away or will move away in the future? Anyone who filed an online tax return since 1998 was affected.

The bill also creates:

  • A department of information security that reports to the governor.
  • An identity-theft unit at the S.C. Department of Consumer Affairs.
  • Two committees to recommend statewide technology and cyber-security policies.
  • The identify-theft unit could prove to be the most helpful. There is no one place to go if you're the victim of identity theft and suspect that it's the result of the Department of Revenue breach. The Revenue Department isn't much help, and there's no way to know for sure that your problems stem from this particular breach. Revenue employees can't file necessary reports to law enforcement or the Federal Trade Commission on your behalf.

    A spokesman for the S.C. State Law Enforcement Division told The Greenville News that the agency is recommending that people notify local law enforcement officials and referring them to the Department of Revenue. SLED is not trying to determine whether the thefts were the result of this particular breach.

    A lawsuit filed after the breach was tossed out by a Circuit Court judge, who ruled that it hadn't gone far enough to prove that government officials were negligent with taxpayers' records and that it couldn't show that anyone had been harmed because of the breach.

    Under the bill now headed to the full Senate, the Identity Theft Unit would:

  • Receive complaints about identify theft and fraud.
  • Provide information and advice on how to handle the problem.
  • Help victims get refunds on fraudulent charges or bank account withdrawals; cancel fraudulent accounts; and correct false information in credit reports, personnel records and court records.
  • Provide a centralized location where information related to identity theft can be securely stored and accessed for the benefit of victims.
  • The 6.4 million individuals and business owners whose information was stolen did nothing wrong. They followed the law. State officials did not do their jobs. It is up to the state to carry the burden -- and the cost -- of coping with this problem, and it is must be prepared to do so for decades to come.