About 3.6 million tax returns from as far back as 1998 were hacked in South Carolina and experts said Wednesday it may be the largest cyber-attack against a state tax department in the nation's history.
State and federal officials are investigating the hacking they say may have started in August and was discovered last month. They say the vulnerability in the system has been fixed. The 3.6 million tax returns filed since 1998 included millions of Social Security numbers and about 387,000 credit and debit card numbers that were also exposed, 6,000 of those unencrypted. Tax information from businesses across the state may also have been accessed.
"I believe it might actually be the largest against a state government, but certainly of a state tax department," said Paul Stephens of the Privacy Rights Clearinghouse based in San Diego.
"We've never heard of anything like this so I think you can say that," agreed Verenda Smith, the deputy director of the National Federation of Tax Administrators in Washington.
Gov. Nikki Haley, who has been holding daily news conferences on the situation, was to meet with reporters again late Wednesday.
Also Wednesday, a former state senator filed a lawsuit against the state Department of Revenue and the governor accusing them of failing to protect taxpayers. Attorney John Hawkins is seeking class-action status hoping to represent all taxpayers whose Social Security numbers and credit card information was compromised.
He says the hacking of millions of personal records amounts to a class-five "cyber hurricane" and the state should have taken cost-effective steps to protect taxpayers' information and notified the public sooner.
There have been bigger security breaches of information that could lead to identity theft in both the private sector and the federal government.
Private information for as many as 76 million veterans may have been compromised when a defective hard drive from the Department of Veterans Affairs was sent for recycling with the information on it.
The largest case of credit and debit card data theft in the nation occurred when a hacker, sentenced two years ago to 20 years in prison, swiped information on 130 million accounts.
One of the issues swirling around the South Carolina hacking is should the information have been encrypted.
"The question is wrong," said Smith whose agency provides services and training to state tax officials and agencies. "It's not as simple as do you encrypt Social Security numbers. Everybody encrypts. It's just a question of what stage it is and where it is when it nor encrypted."
Information that is being transmitted or is on a portable device like a hard drive or laptop is always encrypted.
"If it's behind several fire walls and you're working on it, it might not be encrypted," she said, adding encryption makes the information more difficult for the information to be used by the agency. "It's hard to boil it down to any simplistic answer."
An agency survey of state revenue departments nationwide found that only four of the 16 departments who responded encrypt all data.
Stephens, director of policy and advocacy for the clearinghouse, a nonprofit consumer education and advocacy organization, said one way to protect information like that compromised in South Carolina is to minimize the amount of data that is being kept.
"If you are holding on to old data that is no longer essential to the operations of the department, you are unnecessarily putting people at risk. Why would you hold onto data of an individual who moved out of South Carolina a decade ago?" he asked.
"The unfortunate part of this is you have no choice and a resident with income is going to have to file a return," he said. "There are things in life that are discretionary but this is not and one expects the government to be a good steward of the data entrusted to it."