On October 26 officials of the South Carolina Department of Revenue announced they experienced a breach by an international hacker. In this case 3.6 million Social Security numbers (SSNs) and 387,000 credit and debit card numbers belonging to South Carolina taxpayers were exposed, The state will provide affected taxpayers with a year of credit monitoring and identity theft protection service from Experian.
The breach is easily the biggest involving Social Security Numbers this year. The next largest breach happened when hackers broke into a Medicaid server in Utah this March and accessed closed to 280,000 SSNs.
“Anyone who has filed a South Carolina tax return since 1998 is urged to call 1- 866-578-5422 to determine if their information is affected,” the Department said. The state’s Department of Revenue became aware of the breach Oct. 10 and an investigation revealed the hacker had stolen the data in mid-September, after probing the system for vulnerabilities in late August and early September. The vulnerability exploited by the attacker was closed Oct. 20.
Barnes and Noble bookstore also had a breach which was announced on October 23. Hackers broke into the POS (point of service) system and were able to access credit and debit card information (including PIN information) for about 63 stores across the country for customers who shopped as recently as September. The company discovered on Sept. 14 that the information had been stolen but kept the matter quiet at the Justice Department’s request so the F.B.I. could determine who was behind the attacks, according to these people. The company recalled all PIN pads and has not yet returned them.
While both breaches are problematic for both customers and the companies whose computers were hacked, there are distinct differences in the consequences for customers due to the information stolen or compromised.
Breaches such as the Barnes and Noble episode only will affect a small group of people. Most customers who shopped at the exposed stores simply need to monitor the credit or debit account statements of the cards used at the store. If there are no indications of suspicious activity, customers need not do anything. If a card is compromised the account can be closed and the card replaced with a new account number. It is relatively easy to monitor activity online or on monthly statements. Customers will not be held responsible for any fraudulent activity.
On the other hand, according to Jay Foley of the ID Theft Info Source, the South Carolina taxpayers need to consider using the program offered by the state. The program will monitor both credit reports and possible fraudulent use of Social Security numbers. Even with that help all identity theft situations cannot be stopped and some remediation will be necessary if the taxpayer’s SSN is used. The number can be used to vote, get a job or file a fraudulent tax return creating an identity theft problem.
Foley added, “On a scale of 1-10, I would consider the Barnes and Noble breach a 2 and the South Carolina breach could become a 6-9 depending on what the investigation uncovers.”