Columbia, SC (WorthyNews) - The State of South Carolina on August 27, 2012 experience a 'data breach' in its Department of Revenue files. It experienced two more breaches in early September, and two more data breaches in mid September, according to an official press release issued by the State of South Carolina Department of Revenue.
South Carolina Department of Revenue (DOR) Director James Etter said that on October 10th of this year, DOR was contacted by the South Carolina Division of Information Technology and informed them of a "potential cyber attack involving the personal information of taxpayers."
"We worked with them throughout that day to determine what may have happened and what steps to take to address the situation," he said. "We also immediately began consultations with state and federal law enforcement agencies and briefed the governor's office."
Upon the recommendation of law enforcement officials, DOR contracted Mandiant, a personal information protection company based in Alexandria, VA, to "assist in the investigation, help secure the system, install new equipment and software and institute tighter controls on access (emphasis added)."
According to the official press release, which can be found here, the hacker (which was traced back to Russia) obtained data for the first time in mid-September. No other intrusions were noted past that time, and the vulnerability in the system was closed.
"The number of records breached requires an unprecedented, large-scale response by the Department of Revenue, the State of South Carolina, and all our citizens," said Governor Nikki Haley in the press release. "We are taking immediate steps to protect the taxpayers of South Carolina, including providing one year of credit monitoring and identity protection to those affected( emphasis added)."
"From the first moment we learned of this, our top priority has been to protect the taxpayers and citizens of South Carolina, and every action we've taken has been consistent with that priority," DOR Director Etter said. "We have an obligation to protect the personal information entrusted to us, and we are redoubling our efforts to meet that obligation."
Here is where it gets interesting. The State of South Carolina puts out a press release stating that in order to verify if your personal information has been compromised, you can call Experian Data Breach Resolutions at 1-866-578-5422. A call placed to that number attempts to redirect you to their website, www.protectmyid.com, where they give you an enrollment offer.
Question 1: Why should a person have to enroll in the credit/ID protection program in order to find out if their information has been compromised? Question 2: Why is SC DOR not handling this situation themselves? Question 3: Why did the State of South Carolina release the private information of approximately 3.6 million tax filers to Experian without their permission? In order for Experian to be able to tell the individual taxpayer if their personal information has been compromised, they must first have the information.
A call placed to Governor Haley's office, by me, revealed that neither the State of South Carolina nor Experian can tell you if your private information has been compromised. In order to do that, you must obtain a credit report, call your credit card company, your bank, etc... and find out if there has been any unusual activity. Why then in the official press release is the State of South Carolina saying that you must go to Experian's website to see if your personal information has been stolen? The only possible conclusion is that the State of South Carolina, in cooperation with Experian, is trying a massive phishing campaign in an attempt to get the private information, including credit card and bank account numbers, of the citizens potentially affected.
Another question that must be asked is this: If Mandiant has fixed the problem of the hack, why then are they going to "institute tighter controls on access?" According to broadcast media, the hacker was traced back to Russia. The statement above suggests that the "data breach" was instituted from within, from a Department of Revenue employee. Why the lie?
Yet another question arises: Why does this situation require a "large-scale response" on the part of South Carolina citizens, as Governor Haley stated in the press release? Why are both potentially former and current citizens urged to participate in this program instituted by South Carolina?
If the State of South Carolina had simply went out and said this happened and that they are urging their citizens to have their credit checked to find out if their personal information had been compromised, many citizens would willingly have done the things the State is recommending. Why then the deception? Why the push for the citizens of the state of South Carolina to turn over their personal information?
The State of South Carolina knows that its citizens would not willingly give up such personal information easily. The only way to ensure maximum response from the citizens of South Carolina is to concoct this whole "Russian hack attack" scheme in order to get it. This constitutes phishing, a.k.a. identity theft, both of which are punishable by law.