We hear about various databases being hacked by criminals seeking personal information. Neither size nor source surprises us very much anymore, but information that is coming out on a hack of a taxpayer database in South Carolina is simply startling.
Somehow a hacker got a hold of the credentials of one of the 250 state employees who have access to the database that contains the tax returns of every individual who has filed a state tax return in South Carolina since 1998. That number is now estimated to be 3.6 million individuals and some number of small businesses and corporations.
The best guess is that the hacker had access to the database for about a month before the U.S. Secret Service in a computer sweep discovered the incursion.
I'll let you contemplate those numbers for a moment. 3.6 million Social Security numbers were compromised along with some 387,000 mostly encrypted credit or debit card numbers.
This is actually the second time this year that a South Carolina government database has been hacked. In April, a state employee was charged with stealing Social Security numbers from more than 228,000 Medicaid patients.
State law enforcement officials have said this was a very sophisticated crime. South Carolina Gov. Nikki Haley told reporters that the breach was both complicated and ingenious. "This was a sophisticated hacker who creatively looked at the system," she said. "This was no simple breach."
This most recent data breach in South Carolina has also renewed a debate that has raged in computer security circles for years — to encrypt data or not bother to encrypt. In this case the creators of this database decided that they should encrypt credit card numbers, but for financial and timing reasons not to encrypt filers' Social Security numbers.
Gov. Haley defended this decision amid growing criticism. She insisted the state used the same standards as banks and other private institutions when it decided not to encrypt Social Security numbers and other information contained on the a database.
The state has offered free credit report monitoring for any state taxpayer who wants it. On the first day it was available 455,000 calls were received.
The offer of free credit monitoring is a standard offer put out by governments or private companies who have had databases hacked or otherwise lost databases containing personal information. As I discuss at some length in my book "Bankrupt at Birth" credit monitoring can be helpful, but is really only minimally effective in warning when your identity has been stolen.