Hackers steal over 75 percent of South Carolina social security numbers

Hackers have stolen 3.6 million Social Security numbers from the US state of South Carolina, representing more than 75 percent of the population, along with some  387,000 credit and debit card numbers, US officials said Friday.

The massive data cache was stolen by unknown hackers from the South Carolina Department of Revenue.

The state has some 4.5 million residents.

An estimated 371,000 of the 387,000 compromised credit card numbers were safeguarded by "encryption deemed sufficient" under the Payment Card Industry Data Security Standard, according to officials.

Governer Nikki Haley said the breach would require an "unpredented response".

"The number of records breach requires an unprecedented, large-scale response by the Department of Revenue, the state of South Carolina and all our citizens," Haley said in a statement (pdf).

The agency was informed of the potential attack on 16 October and initiated a response the following day. 

Forensic firm Mandiant was hired to monitor the agency's network and individual workstations for signs of compromise while the agency began an internal investigation to determine if employees or contractors were responsible.

Mandiant confirmed unknown hackers "probed" the agency systems and were able to access the stolen data.

The vulnerability used in the attack was closed on 16 October.

The agency did not disclose details about how the hack was perpetrated.

But agency spokeswoman Samantha Cheek told SC the intrusion was enabled by a "server issue".

Cheek said officials do not believe any insiders helped with the data heist.

A toll-free hot line set up for concerned residents who may be affected was overloaded by calls.

Mandiant chief security officer Richard Bejtlich would not provide details into the investigation.

"We're thankful for the voluntary public mention of Mandiant by state officials, but our policies and professional guidelines prevent us from saying anything about the case unless authorised by the client," Bejtlich said.

In August, the state's largest university announced that it was hit by overseas hackers who raided its database of the personal information of 34,000 students, staff and researchers.

Any person who filed a South Carolina tax return since 1998 was asked to monitor their credit reports for potential fraud. The state is providing them with one year of free identity theft protection.

This article originally appeared at scmagazineus.com