Any US citizen who has filed a state tax return in South Carolina since 1998 is now at risk, thanks to a hacker breaking into one of its sites and accessing data that the Department of Revenue failed to encrypt.
That's about 3.6 million Social Security numbers, or 77% of the state's population.
Another 387,000 credit and debit card numbers were also exposed in an internet attack that the SC Department of Revenue announced on Friday.
Most of the credit card numbers were encrypted, while some 16,000 were not, government officials said in a press conference in Columbia, SC.
Social Security numbers also lacked protection, they said.
The state discovered the breach on 10th October but waited 16 days to inform the public.
Gov. Nikki Haley and State Law Enforcement Division Chief Mark Keel defended the delay, saying that investigators needed the time to gather evidence and to try to track down the attacker.
"When this breach occurred and it was discovered … it took a while for experts to determine how much data had actually been compromised."
"It was important that we had the time to work through our investigation so that we would have enough evidence to prosecute this person."
Haley called the breach "unprecedented" for her state, according to the Charleston Post & Courier,.
US Secret Service agent Mike Williams said the breach was one of the largest his agency has ever handled.
So far, they haven't implicated the culprit(s) but have said that the attack came from a foreign source.
The governor, for one, has a good idea of the penalty she'd like to see meted out.
"I want this person slammed against the wall. … I want that man just brutalized."
According to news reports, officials have determined that the attacker first probed the system on 27th August.
Six days after the breach was discovered on 10th October, officials uncovered two attempted system probes that the attacker tried in early September.
Later in September, the attacker breached the system twice.
Investigators believe that this is when the hacker first obtained data, including taxpayers' personal information.
Officials haven't yet discovered any other intrusions.
The department closed the vulnerability on 20th October and, as far as the department knows, secured it.
Haley said that she knows where the attack originated, saying the source was outside the United States. She declined to reveal the location, saying she couldn't jeopardize the ongoing investigation.
The state is asking that those who've filed a state tax return since 1998 visit protectmyid.com/scdor, a complimentary membership to Experian's credit monitoring service, or call 1-866-578-5422 to determine if their information is affected.
Was it wrong to delay the announcement?
Unfortunately not, in my opinion, just as I feel it was right for Barnes & Noble to delay in informing the public after it first discovered that hackers had recently hijacked PIN pad numbers.
In both South Carolina and Barnes & Noble's attacks, investigators must have time to track down intruders.
Would brutality and smashing attackers against a wall succeed in stopping cyber attacks?
Probably not, but we'll assume the governor was speaking hyperbolically, being a bit riled up.
But while brutality and walls may not productively play into cyber defense, protection such as encryption can and should.
Perhaps the governor should, gently, use that wall to line up the revenue department officials who should have protected taxpayer data in the first place.
Social security cards image from Shutterstock.