CHARLESTON, S.C., Oct 26 (Reuters) - As many as 3.6 million Social Security numbers and 387,000 credit and debit card numbers used by state taxpayers could have been exposed to a hacker in recent cyber attacks on the state Department of Revenue’s computers, officials said on Friday.
The vast majority of the credit card numbers used by South Carolina taxpayers were encrypted, but about 16,000 were not, meaning the data was fully exposed, state police said.
None of the Social Security numbers were encrypted, said State Law Enforcement Division spokesman Thom Berry.
Berry said the hacker used a foreign Internet Protocol (IP) address to gain access to the data.
“This is not a good day for South Carolina,” Governor Nikki Haley said at a news conference in the state capital of Columbia. “I want this person slammed against the wall,” she said of the hacker.
“I want to get this person and make sure he can never do this to anybody or any state again,” Haley said “I want that man just brutalized.”
Officials said no public funds were accessed or put at risk. An investigation into the security breach is ongoing.
Investigators this month discovered two attempts to probe the Department of Revenue’s system in early September, and later learned of an attempt made in late August, state officials said.
Two other intrusions occurred in mid-September, and the department determined the hacker had obtained data for the first time, according to a statement from the state.
Officials said the vulnerability in the system was closed on Oct. 20 and the system is now believed to be secure.
Anyone who filed a South Carolina tax return since 1998 is being urged to find out whether their information was affected. The state will provide those affected with one year of credit monitoring and identity theft protection.
Earlier this year, police arrested a South Carolina state health agency employee they said had made off with almost 230,000 Medicaid recipients’ personal information.
Also, the University of South Carolina said in August that a hacker had breached the personal information of as many as 34,000 people connected to its College of Education.