I’ve been pretty critical of the South Carolina Department of Revenue breach and the state’s incident response. Some will think my criticism is well-deserved, while others may feel I’ve been too harsh. But it is now six weeks since we first learned of the breach and here is what hasn’t happened so far:
Notification letters haven’t gone out yet and not everyone will be notified
The state says letters should start going out this coming week to those whose financial information is at risk because they filed taxes electronically and requested a refund electronically through direct deposit to a bank account.
On Friday, WCBD reported:
Governor Haley’s office says the letters will begin to go out in the mail the week of December 10th and be sent out on a staggered basis. Officials added the all letters will be sent out by December 31st, 2012.
Press Secretary Rob Godfrey said that if a tax filer has enrolled in Experian’s ProtectMyID plan and provided an email address, Experian will send the SCDOR notification to the enrollee by email. SCDOR will notify all other affected tax filers by U.S. Mail.
About 800,000 affected taxpayers will receive notification by email, according to officials with the governor’s office.
And today, The State reported:
Letters to consumers and businesses notifying them of the breach should start going out this week. Those letters will include alerts for the 3.3 million taxpayers whose bank account numbers were exposed because that routing information had been used to get direct deposit of refunds. The data stolen dates back to 1998 but affected only tax returns that were filed electronically.
So what about everyone whose Social Security numbers were compromised but who didn’t request an electronic refund via direct deposit? Aren’t they still at risk of ID theft? Isn’t the state going to send them notification letters? Where is there a clear, updated statement from SCDOR on their web site as to whom will receive letters and who should not expect to receive letters? And why isn’t everyone whose Social Security numbers were compromised being notified?
As to sending out letters by December 31st: well, that is over two months from the time the state disclosed the breach. Again, as far as incident response goes, that’s disturbing.
Those tax filers who have moved away from the state or out of the country may have no idea they are at risk. Of course, if they moved away, the state may have no current contact information to reach them – another reason they shouldn’t have stored unencrypted information going back to 1998 on a server connected to the internet. Even among those still residing in South Carolina, though, not everyone knows about the breach. According to a survey conducted between Nov. 25 and Dec. 2:
The number of South Carolinians with some knowledge of the breach was higher than Huffmon expected, based on the estimated 40 percent of people who do not regularly watch the news or get their news from cable television, which does not regularly cover state issues.
- About 73 percent of those polled said they were very or somewhat familiar with the breach.
- Another 18.5 percent said they heard about the cyber attack but did not know the details.
- Only 8.3 percent of respondents had no clue that hackers might have stolen their tax data.
There are two ways to view those numbers. One way – the conservative way – is to take steps to ensure that the 27% who are not fully informed but who might be at risk are sent letters – even if they did not request a refund electronically.
Banks have not been notified with a list of compromised account numbers
In reading news yesterday, I learned that the state could not just send banks a list of account numbers to watch or monitor – they needed court approval to transfer the information. Okay, but exactly when did the state start the process to get that court approval? Shouldn’t that have been part of their incident response plan and have been initiated promptly? Perhaps the mainstream media will file under Freedom of Information and let us know when the state first requested court approval.
Where would we be without the media?
If it was not for the media asking questions and providing coverage, those affected would have little idea what is going on. Yes, the state set up a web page with information on the breach, but that page has not been updated since November 13. The last official state press release was on October 31.
As regular readers know, I have repeatedly argued for more transparency and disclosure to protect consumers. The SCDOR breach serves as a painful reminder of how confusing and alarming a breach can be when those affected aren’t promptly notified and kept in the loop via official press releases on an updated web site.
Don’t count on the state – count on yourself
If you are among those affected or potentially affected and have been waiting for the state to help, stop waiting. Immediately contact your bank if you have not done so already. And do sign up for the free credit monitoring protection the state arranged, even though you will need to input your Social Security number and other information to take advantage of the service. The state has a prominently posted advisory here.
And keep reading the mainstream media coverage from South Carolina. Right now, they appear to be your best source of updated information on this breach.
We’ve received a lot of calls about the SC breach, and have created a list of preventative measures people can take to help avoid ID Theft. We encourage people to sign up for the credit monitoring but here are some other ideas…
If your information was part of the South Carolina Department of Revenue breach, the state will be providing those affected with one year of credit monitoring, and we highly recommend you take full advantage of this offering. News reports indicate that anyone who has filed a South Carolina tax return since 1998 is being directed to call 1-866-578-5422 to determine if their information is affected, and to obtain an activation code. If you already have the activation code, you can enroll in your monitoring by visiting: http://www.protectmyid.com/scdor. At this time, they are predicting a 48 hour turn around to verify your information against the list provided by the state to confirm if your information was included in the compromise.
Below is a list of preventative measures that can be taken depending on the information that may have been compromised.
CREDIT CARD NUMBERS and FINANCIAL ACCOUNT NUMBERS
• Close all affected accounts and have account numbers changed
• Cancel all affected credit cards and debit cards
• Password protect your accounts using strong passwords that are not easy to guess
• Watch your account statements closely
• Report any fraudulent activity immediately to the bank
SOCIAL SECURITY NUMBERS:
If a minor’s social security number was compromised, there is no immediate step to take.
If you are a parent or guardian and you want to check to see if your child may be a victim of identity theft you can submit an online request to TransUnion to see if a credit file exists. TransUnion has a secure online form you can use to submit your child’s information so they can check their database for the existence of a credit file under your child’s SSN. You can find their online form here https://www.transunion.com/corporate/personal/fraudIdentityTheft/fraudPrevention/childIDInquiry.page.
If an adult’s social security number was compromised, place a fraud alert immediately.
FRAUD ALERT:
A fraud alert is a free service to consumers who have experienced identity theft or have had their information compromised. Placing a fraud alert will put a 90 day “flag” on your credit files that will alert merchants to take extra precautions to validate your information before extending a new line of credit. Placing an alert will also entitle you to a free credit report from each of the bureaus every time you place a 90 day fraud alert. A fraud alert is not a necessity if your social security number is not at risk but for some it provides an extra sense of security and allows you to monitor your credit reports every 90 days.
PLACE THE FRAUD ALERT ONLINE:
• Visit the Experian website.
o The specific link for fraud alerts is here:
o https://www.experian.com/consumer/cac/InvalidateSession.do?code=SECURITYALERT
• Click on the link that says Initial Security Alert (90 days). This will take you to a secure screen where you will enter your personal information.
o NOTE 1: You are not required to include your employment information
o NOTE 2: Click the tick box directly below the employment section to include a phone number with your alert
• After you have completed the personal information, click on the three boxes at the bottom and you will be taken to an additional screen with security questions for you to answer, based on your credit profile. *Keep in mind that some of these questions may not pertain to you. For identifying purposes they may ask a few trick questions. This is no reason to be alarmed.*
• In most cases, you will be allowed to view your Experian report online. Be sure to note the report number (so that you can view it again) and if possible, print the report for your own reference.
• For fraud alerts, the credit bureaus work together on your behalf. Experian will automatically contact Equifax and TransUnion to have an alert placed on your files with their companies. These companies will send you letters in the postal mail with the necessary references and contact information for you to call and request copies of your credit reports from them. Once requested, it will take an additional 10 business days for the reports to reach you.
o NOTE 3: These letters are not well marked and many consumers recycle them by mistake.
o NOTE 4: Remember, for security reasons, the first set of letters you receive will not contain credit reports. The first set of letters will confirm your alert and give the phone numbers to order the reports.
Review your credit reports and note any fraudulent/incorrect information, including personal information, accounts, and inquiries. Notify ID Experts immediately of any suspicious information found on credit reports, collection notices received, or with questions or concerns. If you need further assistance please call me directly.
PLACE THE FRAUD ALERT BY TELEPHONE:
To place a fraud alert by phone, simply contact any one of the three major credit bureaus using the numbers listed below. Whichever company you call, will request that the other two also place a fraud alert on your file.
• Equifax 1-888-766-0008
• Experian 1-888-397-3742
• Trans Union 1-800-680-7289
After placing an alert by telephone, you will receive three confirmation letters in the postal mail with the necessary references and contact information to use to request your free credit reports from each bureau. The Experian confirmation letter should also reference a 10 digit report number. The 10 digit report number will allow you to view the report online at http://www.experian.com (click Review report again, toward bottom of the home page). Once your reports are requested, it will take an additional 10 business days for the reports to reach you.
NOTIFY THE IRS:
If your tax records are not currently affected by identity theft, but you believe you may be at risk due to a SSN compromise, lost or stolen tax information, or other identity compromise, follow the instructions below.
Keep in mind, submitting form 14039 will flag your files for 3 years. If you decide to do this, you would be unable to file your taxes electronically for 3 years. You will be required to file your taxes via postal mail and any refunds may be delayed during this time frame.
If you decide you would like to notify the IRS you should submit IRS Identity Theft Affidavit to the address below. – Form 14039. Also, include one copy of a valid Federal or State issued identification choosing from the options listed on form 14039.
Please send these documents using one of the following options:
Mailing address:
Internal Revenue Service
P.O. Box 9039
Andover, MA 01810-0939
FAX: Note that this is not a toll-free FAX number
1-978-684-4542
You may also contact the IRS Identity Protection Specialized Unit, toll-free 1-800-908-4490 for guidance.
ITEMS OF LITTLE CONCERN:
This covers publically held information; such as phone number, address, name, and birth date. Thieves cannot do much with this information alone.
SPEAR “PHISHING”
With birthdates, email addresses, home addresses, and phone numbers hackers can launch spear “phishing” attacks that are targeted at specific individuals. If they have enough information they may even try to pose as legitimate financial institution or even the entity involved in the breach of information. Spear phishing refers to attacks that are customized to each individual target. Hackers can draft emails that contain enough personal information to persuade the victim to let down their defenses, which can be enough to get them to click on a link that downloads malicious software onto their personal computer.
Thanks for sharing your knowledge and experience with this site’s readers!