Lawsuit for South Carolina tax agency breach expands to security firm

Attorney John Hawkins, a former Republican senator, filed the initial suit Oct. 31 in Richland County against Gov. Nikki Haley, the SCDOR and its director, for negligence. He is now adding Trustwave to the list because the company was hired by the South Carolina Department of Revenue (SCDOR) in 2005 to provide computer security in place of DSIT. It’s in the crosshairs of the suit, according to the plaintiffs, because it failed to prevent the heist, in which international hackers made off with 3.6 million personal income tax returns, 387,000 credit and debit card numbers and up to 657,000 business filings.

“Our policy is not to comment on legal matters," Trustwave said when asked for comment.

Meanwhile, DSIT neglected its duty by allowing its functions to be outsourced to a third party, the suit alleges.

"The public is forced with threat of jail to pay taxes and give their personal information to SCDOR, and yet SCDOR took only the flimsiest steps to protect this private data, leaving South Carolina the most vulnerable target for hackers of any state in the Union," Hawkins told FOX Carolina.

The SCDOR told the television station that it hired Trustwave in lieu of DSIT because the latter didn’t audit PCI compliance, required for use with credit card numbers. Hawkins said pshaw, adding that “PCI compliance does not apply to social security numbers and is not an excuse for the tax agency to use more robust and readily available security systems, like those offered by DSIT,” according to FOX Carolina.

The investigations suggest that the intrusions occurred some five times from late-August to mid-October, with the majority of the data stolen during August. Officials stress that no public funds have been stolen or put at risk, and that the credit card details are old and likely to be of little value to the thieves.

SCDOR Director Jim Etter has outlined additional safety solutions – including fraud monitoring for businesses from Dun & Bradstreet Credibility Corp and Experian, in addition to extended fraud resolution for individuals and coverage for dependents who are minors from Experian – available online for South Carolina taxpayers. 

What’s Hot on Infosecurity Magazine?