COLUMBIA — South Carolinians will start receiving notification letters next week if their personal financial data was stolen in the massive cyber-attack at the S.C. Department of Revenue, Gov. Nikki Haley said Thursday.
Hackers swiped Social Security numbers and other sensitive information belonging to 3.8 million taxpayers with 1.9 million dependents as well as nearly 700,000 businesses in mid-September.
The hacking is thought to be the largest-ever nationwide at a state agency.
The notification letters also will inform 3.3 million taxpayers whose bank account numbers were part of the theft.
S.C. banks and credit unions learned which accounts were involved in the breach this week and have stated flagging those accounts to monitor for possible suspicious activity, said Fred Green, president of the S.C. Bankers Association.
In addition, the trade group is setting up an early-warning network so banks can share news about thieves attempting to swipe money from accounts compromised in the massive hacking.
In other news:
• The S.C. House appointed a special committee Thursday – led by new Majority Leader Bruce Bannister, R-Greenville – to investigate the computer records theft. The state Senate’s cyber-attack special committee has met twice.
• The state is working with a San Diego nonprofit consumer group to provide lifetime credit fraud resolution for children whose Social Security numbers were stolen.
South Carolina’s $12 million deal with Experian to offer a year of credit monitoring at no cost to individual taxpayers gives lifetime fraud resolution for adults but not children, who are covered for just a year. Experian will extend the coverage for children at a cost of $20 a month.
To fill that hole, the San Diego-based Identity Theft Resource Center has talked with state officials about offering its free fraud resolution services to S.C. residents. The group relies on outside funding but has not asked South Carolina for money, center president Eva Velasquez said.
‘Friendly’ lawsuit gives banks information
The breach notification letters that Haley announced on a radio show Thursday will ease concerns for taxpayers who want to know for sure, six weeks after the state made the thefts public, if their information was taken.
Hackers stole data only from tax returns filed electronically, the governor has said. The records stolen date back to 1998.
Banks learned which accounts were involved in the breach this week as part of a court order issued after a “friendly” lawsuit allowed the Revenue Department to share the data, Green said.
With their planned early-warning network, banks will report incidents that will trigger notices to be sent to the state’s 80 banks, he said. The state’s 80 credit unions will be invited to join the network.
The association plans to have the network operating by the end of the month. Banks cannot charge customers a fee for the new security, Green said.
Hackers only got bank account numbers for taxpayers who filed electronically and routed refunds for direct deposit, he added.
Concerned customers can change their bank account numbers, but Green said they should weigh the inconvenience.
Changing account numbers means new checks and debit cards, and switching auto-payment and direct-deposit requests.
“The best defense is looking at your statement and if you see anything unauthorized, call your bank,” Green said.
Banks must replace fraudulent withdrawals if customers find problems within 60 days after receiving a statement, Green said.