See chronology of events in cyber-attack

October 10

The SC Department of Revenue was informed by the South Carolina Division of Information Technology (DSIT) of a potential cyber attack involving the personal information of taxpayers.

DOR worked with DSIT throughout the day to determine what may have happened and what steps needed to be taken immediately to deal with the situation.

DOR consulted with state and federal law enforcement agencies for guidance.

Law enforcement recommended several steps to be taken, including consulting the nation's top cyber security firms.

DOR assessed the top 3 recommendations from law enforcement and contacted Mandiant of Alexandria, VA.

DOR contacted the Governor's office.

SLED Chief Keel briefed Governor Haley.

October 11

DOR met with the Governor's office in the morning to give her a full briefing, including laying out our 4-pronged approach:

  1. Contract with Mandiant, which we signed on October 12 with the approval of the Governor, to find and fix the leak.
  2. Conduct an internal investigation of all outside contractors and certain employees to see if they have been involved with any security breaches;
  3. Develop of a public notification plan;
  4. Institute additional protection tools on our system.

DSIT began monitoring DOR and its main servers to detect any unauthorized intrusions.

DOR made the decision that if DSIT or DOR identified any unusual exfiltrations of data, the system impacted would be shut down immediately.

October 12

DOR signed a contract with Mandiant.

Mandiant began working on plans to send surveillance and monitoring tools to be installed at DOR in SC.

October 15

DOR worked with Mandiant to begin installing surveillance and monitoring equipment which was completely in place within 48 hours.

DOR began daily status update calls with complete team, including representatives from law enforcement, DSIT, DOR, Mandiant- the first call was planning session.

October 16

Mandiant began deploying a monitoring agent on every computer workstation throughout DOR, a process was completed by October 20.

By the daily status call on Oct. 16, Mandiant was able to confirm that an unknown hacker or hackers probed the system in early September. We also learned that in mid-September, two other intrusions occurred, and to the best of our knowledge, the hacker obtained data for the first time.

October 18

Daily team status meetings were held and systems were continuously monitored.

October 19

Mandiant sent a four member team to begin the on-site investigation at DOR.

DOR is still managing day-to-day business of state of SC while managing this major issue.

DOR contacted South Carolina law firm, Nelson Mullins, about getting assistance with breach management.

October 20

The "hole" was closed and system was secured, to the best of our current knowledge.

October 21-25

We continued to monitor the system to make sure no more data was compromised.

The number of records breached requires an unprecedented, large-scale response by the Department of Revenue, the State of South Carolina and all our citizens.

We confirmed that NO public funds were accessed or put at risk as those servers are completely separate from those that were breached.

However, approximately 3.6 million Social Security numbers may be affected. Approximately 387,000 credit card numbers were in the materials that were taken, but approximately 371,000 are protected by strong encryption deemed sufficient under the demanding credit card industry standards to protect the data and cardholders, and the others are dated from before 2003.

Safety Precautions

We are taking immediate steps to protect the taxpayers of South Carolina, including providing one year of credit monitoring to those who may be affected through Experian's ProtectMyID Alert. This service includes:

  1. A free credit report;
  2. Daily credit monitoring across three credit bureaus to detect any suspicious activity;
  3. A $1 million identity theft insurance policy.

The public is urged to be aware of scams. DOR will never call or otherwise contact those affected asking for personal information. Beneficiaries are advised to never give out their Social Security numbers or other identifying information to people you do not know.

If you filed a South Carolina tax return since 1998, you are urged to call the toll-free call center that DOR has established, which will be operating 24/7 beginning at noon on Friday, October 26, 2012,for anyone who wishes to know if their personal information was included and to immediately enroll in one year of credit monitoring: 1-866-578-5422. Also please visit:

Copyright 2012 WIS. All rights reserved.