WASHINGTON – Military members and their families are among the victims of what is being called the largest cyberattack of its kind against a state government agency.
The cyberattack on South Carolina’s Department of Revenue, discovered in October, led to the pilfering of Social Security numbers and a wealth of other personal financial data from millions who filed South Carolina tax returns since 1998.
In addition to raiding the tax records of 3.8 million taxpayers, international hackers in August and September also stole the Social Security numbers of about 1.9 million dependents – as well as information from nearly 700,000 businesses, 3.3 million bank accounts and 5,000 credit cards.
Sen. Lindsey Graham, R-S.C., sent a letter to the Defense Department leadership urging them to notify all military members and their families of the security breach. Since 1998, many military members have rotated through the state’s numerous bases and may now be living overseas.
Samantha Cheek, a Department of Revenue spokeswoman, said the state recognized that this cyberattack was “a significant issue” for military members, “in light of the uniquely mobile natures of their service.”
All affected taxpayers should receive letters of notification from the state, she said. But anyone who filed a tax return since 1998 in the state should take the following steps to protect themselves:
Defense personnel should visit ProtectMyID.com/SCDOR and use the activation code SCDOR123 or call Experian’s national consumer assistance center at (866) 578-5422 by Jan. 31 to determine whether their information is at risk. If so, enroll in identity theft protection, which is being offered free for one year by the state, along with $1 million in identity theft insurance.
Also current and former South Carolina business owners should contact Dun & Bradstreet Credibility Corp. at dandb.com/sc/ or (800) 279-9881 to sign up for free credit monitoring services for a year.
Graham said in a Nov. 28 press conference that the data breach served as an example of the type of threat that could lead someday to “a major cyberattack against our national security infrastructure: our power plants, our aviation systems, our financial systems.” He and other Congressional members have been pushing for the passage of cybersecurity legislation that would ensure that businesses do more to protect customers from cyberattack.
Investigators said this attack started from a malicious email sent to the state agency’s workers, which appeared to be from a trusted sender. It contained a link, which when clicked, enabled hackers to steal at least one employee’s user name and password to pilfer information. The agency had not encrypted Social Security numbers and other financial data.