The South Carolina Department of Revenue today acknowledged that approximately 3.6 million Social Security numbers and 387,000 credit and debit card numbers were recently stolen by hackers.
"The vast majority of the credit card numbers were encrypted, but about 16,000 were not, meaning the data was fully exposed, state police said," writes Reuters' Harriet McLeod. "None of the Social Security numbers were encrypted, said State Law Enforcement Division spokesman Thom Berry."
"The number of records breached requires an unprecedented, large-scale response by the Department of Revenue, the State of South Carolina and all our citizens," South Carolina governor Nikki Haley said in a statement [PDF file]. "We are taking immediate steps to protect the taxpayers of South Carolina, including providing one year of credit monitoring and identity protection to those affected."
"'This is not a good day for South Carolina,' Haley said. 'I want this person slammed against the wall.' Haley suggested that all who have filed a tax return in South Carolina since 1998 take steps to protect their identity and monitor their credit accounts," writes TechNewsDaily's Ben Weitzenkorn.
"An initial attack was launched August 27th, though it's believed no data was stolen during this first attempt," writes The Verge's Chris Welch. "But two additional intrusions were recorded in September according to the Department of Revenue, which was made aware of the situation by South Carolina's IT division on October 10th."
"Shortly after learning of the attack, the Revenue Department hired Mandiant, an advanced threat detection and incident response provider, to assist in the investigation, help secure the system, install new equipment and software and institute tighter controls on access," writes GovInfoSecurity's Eric Chabrow.
"With a state population of about 4.6 million, the exposure could affect as many as much as three-fourths of South Carolina citizens," notes Ars Technica's Dan Goodin.