Published November 1, 2012
The Greenville News
By Tim Smith, Staff writer
COLUMBIA — Another day of stunning revelations brought a disclosure by Gov. Nikki Haley that the hacking of the state’s computer system includes the exposure of the records of as many as 657,000 South Carolina businesses.
She also disclosed for the first time that in addition to 3.6 million Social Security numbers and 387,000 credit and debit card numbers, the breach of the Department of Revenue computers also exposed residents’ bank account numbers, bank routing numbers and any other information that was on checks used to pay taxes.
Haley said all businesses filing returns since 1998 will be offered free credit monitoring services by Dun & Bradstreet Credibility Corp. beginning on Friday.
Haley, whose administration is under fire for its handling of computer security, revealed new layers of exposure for the state’s residents in Wednesday’s installment of what has been a daily series of disclosures this week.
“If you paid by check, then anything on that check could be compromised,” Haley said. “Just keep in mind that you give a check to your grocery store, you give a check to anybody. So anybody that you give a check to, that information is always there.”
Officials have said they may not know for another month or more exactly what was taken by the foreign hacker as opposed to just exposed. Haley said “it would not hurt” for taxpayers to contact their banks but she said all banks are aware of the situation.
Haley, flanked by Revenue Department Director Jim Etter and State Law Enforcement Division Chief Mark Keel, said she shares taxpayers’ frustration at the lack of information available about the breach.
“This has been a frustrating experience for me because when you have a problem, you want to be able to answer the problem,” she said. “This is a problem that we keep unraveling. … It is something that I honestly feel like I’m finding out by the day.”
Etter disclosed the vulnerability to businesses during a hearing before senators on Tuesday, saying an undisclosed range of numbers used by the agency to identify businesses were in the information exposed.
Haley said Wednesday that Mandiant, the computer security firm hired to plug the breach and find out exactly what had been exposed, told officials Tuesday night that “some businesses had been compromised.”
“We are still trying to find out the information,” she said.
Haley said the number of businesses with information in the files could be much less, but officials are acting with caution in estimating the highest possible number.
“I don’t want to wait to find out who was in the batch,” she said. “I want to be sure we have people protected before that happens. It could take months before we find out who’s in the batch.”
Haley said the tax identification numbers included in the files aren’t secrets.
“They got what was already public,” she said. “But I would recommend that businesses take advantage of Dun & Bradstreet and sign up.”
To address the possibility of someone using the exposed information to cause problems with a business’s credit, Haley said all will be able to use Dun & Bradstreet’s CreditAlert service that will tell businesses if any changes are taking place in a company’s credit file, such as new lines of credit, a change to the company’s address or officer.
Haley said businesses should visit the firm’s website on Friday from 11 a.m. until 2 p.m., DandB.com/SC or call customer service at 800-279-9881.
The service is free, both to the businesses and the state, for the life of the business, Haley said.
“This is the kindness of a company that sees that we are going through a crisis and they wanted to help and we are very grateful for that,” she said.
Jeff Stibel, CEO and chairman of the company, released a statement saying his firm was honored to help. “When our nation or our states are in need, Dun & Bradstreet Credibility Corp. will drop everything to help.”
In contrast to what businesses are being offered, individual taxpayers who have been offered a similar service by Experian only receive credit monitoring for a year, though fraud resolution services will last for a lifetime. The cost for Experian’s service to the state is capped at $12 million, the governor has said.
Frank Knapp, president and CEO of the South Carolina Small Business Chamber of Commerce, said there was a “false sense of security” created by a statement Monday by Haley’s office that business information wasn’t among the data exposed.
He said what businesses want to know most “is how to protect ourselves.”
Otis Rawl, president and CEO of the South Carolina Chamber of Commerce, said his organization has advised members to contact the Revenue Department directly.
“I think a lot of the work has to be done on DOR’s end to kind of close the gaps,” he said. “We can work through these processes if we find we have a problem, but right now we don’t know if we have a problem or not.”
The governor said U.S. Sen. Lindsey Graham has talked to the IRS about allowing South Carolina businesses to change their federal tax identification numbers should they want to do that. Etter said Tuesday that his agency is planning to change all state identification numbers as well.
Haley said if businesses are nervous about using credit or debit cards that were used to pay
taxes, they can ask banks to change them and they will do so for free.
She said she doesn’t know yet what businesses outside the state that file South Carolina returns will do. But she said officials should be able to advise those businesses by Friday.
Haley said the state has contacted the Federal Trade Commission about the hacking, which is being investigated by the U.S. Secret Service and SLED.
As of Wednesday, Haley said, 620,000 calls have been made to Experian for taxpayers to enroll in their free credit monitoring service and 418,000 people have registered for the service.
Haley said she is concerned that more taxpayers haven’t signed up for the service and she’s asking her cabinet agencies to reach out into communities to inform people as they make contact with any agency.
Senators this week asked the Revenue Department to explore the idea of notifying taxpayers and signing them up after gaining their permission.
But Haley said that wasn’t practical.
“This is the Department of Revenue,” Haley said. “It is still a confidential agency. People have to do this themselves. We can’t as a state take it upon ourselves and sign people up for something they may not want. …This is an issue of personal responsibility.”
Etter said the computer systems used by the Revenue Department date to the 1970s and have been updated since 2006. Haley said what matters is the programs used by the computers, not the hardware.
“They are slow computers but they are the same as the rest of state government,” Haley said.
“What this issue has taught me is if someone wants to get in, they will get in and if somebody wants to make something happen, they will make it happen.”
Keel said he couldn’t comment on the status of the investigation. Haley and Etter said they couldn’t say more about how the hacker gained entry or what officials did to close the hole.
Etter told senators Tuesday that the hacker used an employee’s credentials to gain access to the system.