Data breach targets 3.6M taxpayers
A recent hacking of South Carolina's tax records should make you wonder how secure your state's records are.
If you've filed a state tax return in South Carolina at any time since 1998, you are at serious risk for identity theft. Hackers began poking around in a state Department of Revenue server in August and later accessed 3.6 million Social Security numbers and 387,000 debit and credit cards.
All but 5,000 of the credit/debit card numbers were encrypted, and those that weren't were expired, state officials said. But none of the Social Security numbers were encrypted. Those 3.6 million people will need to monitor their credit records for many years to come, checking for fraud.
How could this happen? It turns out that hackers like to target state and local governments, which may be unwilling or unable to buy the best security possible.
"Typically, the decision not to encrypt sensitive information is driven by budget limitations rather than by industry standards or best practices," Torsten George, the vice president of worldwide marketing and products for risk management vendor Agiliance, told Computerworld.
The list of targets is long. Says USA Today:
"From late September through mid-October, damaging hacks were reported by the city of Burlington, Wash.; the Centers for Medicare and Medicaid Services in Baltimore; the Town Council of Chapel Hill, N.C.; the Robeson County Board of Elections in Lumberton, N.C.; the Brightline Interactive, Army Chief of Public Affairs office in Alexandria, Va.; the city of Tulsa, Okla.; and the town of Willimantic, Conn."
And those are just the ones that have been disclosed.
Adds The State newspaper in South Carolina:
"Just one in four state chief information security officers nationwide said they are very confident in their states' ability to guard data against an external cyberattack, according to a survey released last week. Seven in 10 reported a breach."
The exposure of taxpayer information in South Carolina is breathtaking in scope. Said The State in another story:
"The massive data theft, affecting anyone who filed a state tax return since 1998, has jarred South Carolina. Hackers grabbed access potentially to 'any information contained on a tax return,' the S.C. Department of Revenue said. That includes Social Security numbers and bank account data used to route direct deposits of refunds."
The state has negotiated a $12 million deal with credit bureau Experian to provide affected people who sign up with a year of free credit monitoring and a lifetime of fraud resolution -- personalized help if someone opens credit accounts in your name. The offer applies to children whose Social Security numbers were included on their parents' state tax returns.
That might sound like a deal, but after the year of free monitoring, you're either going to have to take that chore upon yourself or pay a service to do it. Experian is probably counting on that.
"What you will have is fraud resolution for life, monitoring for a year, and then we need to monitor for ourselves after that. Whether we choose to go through a program or whether we choose to do it any other way, we need to start doing that going forward," Gov. Nikki Haley said Oct. 30 at a press conference.
The South Carolina Department of Revenue recommends that taxpayers whose records were compromised should immediately begin to monitor credit reports and bank and credit card accounts for unusual activity, and place fraud alerts or freezes on their credit histories. If I were a taxpayer there, I'd opt for the freeze. Says the revenue department (.pdf file):
"Keep in mind that when you place the freeze, you will not be able to borrow money, obtain instant credit, or get a new credit card until you temporarily lift or permanently remove the freeze. In South Carolina, there is never any charge to you for placing, thawing or lifting the freeze."
Let's hope that other states are paying close attention to this breach and the havoc it's caused.
More on MSN Money:
VIDEO ON MSN MONEY
Copyright © 2013 Microsoft. All rights reserved.
Fundamental company data and historical chart data provided by Morningstar Inc. Real-time index quotes and delayed quotes supplied by Morningstar Inc. Quotes delayed by up to 15 minutes, except where indicated otherwise. Fund summary, fund performance and dividend data provided by Morningstar Inc. Analyst recommendations provided by Zacks Investment Research. StockScouter data provided by Verus Analytics. IPO data provided by Hoover's Inc. Index membership data provided by Morningstar Inc.