The hacker was able to gain access to the database containing the personal information through an online application located on the York County website, the county explained.
The compromised server contained a backup database “and that’s where the majority of (the names) were”, Joel Abernathy, director for York County’s IT department, told the Charlotte Observer newspaper. “The database could be 12 to 15 years old” and contained about 12,500 names.
The remaining names came from a newer database collected up until Aug. 29, 2011, when the county detected the intrusion and shut down the database.
County officials said that they took so long to notify potential victims because their investigation found no indication that the information was taken from the server. Forensic testing of the server revealed “no smoking gun”, Joel Abernathy, director for Your County’s IT department, told the newspaper.
South Carolina law requires that organizations notify victims of data breaches in the “most expedient time possible and without unreasonable delay”, the newspaper noted. Stuart Rossman, director of litigation for the National Consumer Law Center, told the newspaper that a nine-month delay would not be considered reasonable by most people.
This is the second major data breach by a South Carolina government agency in less than a month. In April, the South Carolina Department of Health and Human Services announced that an employee stole personal data on 228,000 Medicaid recipients.