X

Millions of SSNs lifted from South Carolina database

Slipshod security at the state Department of Revenue leads to a massive security breach: 3.6 million Social Security numbers are stolen. The state's population is approximately 4.7 million.

Declan McCullagh Former Senior Writer
Declan McCullagh is the chief political correspondent for CNET. You can e-mail him or follow him on Twitter as declanm. Declan previously was a reporter for Time and the Washington bureau chief for Wired and wrote the Taking Liberties section and Other People's Money column for CBS News' Web site.
See full bio
Declan McCullagh
2 min read

If you live in South Carolina, there's a very good chance that slipshod state government security has allowed an overseas computer criminal to acquire your Social Security number.

The South Carolina Department of Revenue acknowledged the massive electronic security breach today, saying an electronic intrusion led to 3.6 million Social Security numbers being stolen. The state's population is approximately 4.7 million.

"We are taking immediate steps to protect the taxpayers of South Carolina, including providing one year of credit monitoring and identity protection to those affected," Gov. Nikki Haley said in a statement.

S.C. Department of Revenue director James Etter, who learned of the largest security breach in the state's history on October 10
S.C. Department of Revenue director James Etter, who learned of the largest security breach in the state's history on October 10 State of South Carolina

Anyone who has filed a South Carolina tax return since 1998 -- including former residents who have since moved out of the state -- is being urged to call (866) 578-5422 to enroll in a consumer protection service and visit protectmyid.com/scdor.

Social Security numbers weren't always used as taxpayer ID numbers, and it's possible that South Carolina's missteps could prompt a move to rethink their use. It wasn't until 1976, when the federal Tax Reform Act was adopted, that states began to adopt SSNs for tax and motor vehicle licensing purposes.

Employers, universities, and even some states have adopted substitutes for SSNs, which can jeopardize privacy when disclosed because they're used for authentication and as a unique identifier. The U.S. Navy is moving away from SSN use, and New York's civil service offers substitutes for people without SSNs. So, perhaps ironically, does the University of South Carolina.

A chronology of events (PDF) that the state published today says that the Department of Revenue learned of the intrusion on October 10 -- it doesn't say how, and USA Today suggested the hacker may have contacted the state demanding a ransom -- and alerted federal and state law enforcement.

On October 12, the state hired an outside consultancy, Mandiant, which determined the intruders accessed state systems in early and mid-September. It wasn't until eight days later, on October 20, that the suspected security hold was actually closed.

Approximately 387,000 credit card numbers were in the files taken, the state said. But officials claim that only 16,000 were unencrypted.