It was originally thought that only individuals had been affected by the breach. On Tuesday, however, the forensic investigating consultants, Mandiant, discovered that potentially more than half a million businesses could also have had their tax details stolen (the exact number is still unknown because of possible duplicates within the system). Dun & Bradstreet and Experian are now offering life-time business-protection services for free to affected South Carolina businesses. A similar Experian service for consumers is for one-year only.
While Mandiant continues to investigate the breach, governor Nikki Haley’s efforts are concentrated on getting people signed up to Experian’s ProtectMyID program. It cannot be done centrally by the state because of legal privacy issues. On Thursday she appealed to her cabinet members to use their departments to get the information out to the public. “If you look at the numbers, the call numbers and the enrollee numbers, it's starting to come together,” she said yesterday. By Thursday afternoon thre had been 653,000 calls to the identity protection hotline, and 521,000 enrollees.
Details and method of the hack are still not public. It is believed that that overseas hackers used state-approved credentials to get into the system, and that the Department of Revenue only learnt of the breach after being informed by the Secret Service on 10 October. “I don't think we're allowed to talk about that at all,” Haley said, suggesting later that attacks are unpreventable: “If somebody wants to get in, they're getting in.”
Now, however, she has another worry. Former state Sen. John Hawkins has filed a suit against Haley, James Etter (the Revenue Department director) and the Revenue Department on behalf of a 60 year-old semi-retired factory supervisor. Hawkins plans to make it a class action suit. He claims that the state could have done more to protect the data, and should have revealed the breach sooner. Haley dismissed the suit. “There is a trial lawyer with a hand out and a tissue ready at any crisis, and he has just proven that,” she said.
Nevertheless, the fact that the vast majority of the stolen data was unencrypted, and that the state is now encrypting tax data, will be a concern.