COLUMBIA, SC (WIS) - The security breach that put millions of South Carolinians' social security numbers and credit cards in jeopardy could cost the state more $12 million in fees to companies that will be working to protect those citizens and investigate the data theft.
For the second day in a row, Governor Haley stood in front of the media with SLED chief Mark Keel and Department of Revenue director Jim Etter to update the situation.
Haley said Tuesday morning that the state has negotiated a capped rate of $12 million with Experian, the company providing credit monitoring and lifetime fraud protection to those who have been affected.
The state has already paid $125,000 to Mandiant, which is investigating how the breach of the Department of Revenue's servers happened and how to protect the state's online systems in the future.
Haley, Keel and Etter announced last week that 3.6 million social security numbers and 384,000 credit cards were compromised in a hack of the DOR's online systems.
When questioned about business liability, Etter told the Senate Finance Committee late Tuesday that an unknown number of SC tax ID numbers were also included in the compromised data. The business tax ID numbers would be renumbered, Etter said.
Etter suggested, but couldn't promise, that some sort of protection, such as a company like Dun and Bradstreet, which is a provider of credit building and credibility solutions for businesses, would be offered to those affected businesses.
He said he'd suggest that solution to Governor Haley.
The governor revealed a bit of good news Tuesday morning. Of the hundreds of thousands of credit card numbers that were taken, none of the unencrypted cards were active. "Not one single, active credit card was taken," said Haley.
Experts have told the state that it may take up to 6-8 months for those who have stolen social security numbers to start using them for fraudulent activity. Those same experts, according to the governor, said that after a year the likelihood for fraudulent activity goes way down.
The governor said 533,000 people have called the hotline and 287,000 have signed up for the offered services. She said wait time has been reduced from 12 minutes on Monday to up to 10 minutes on Tuesday.
The investigation into who got into the system and took the information is ongoing, according to Mark Keel, who wouldn't go into any detail about law enforcement's efforts.
Haley did reveal that investigators do not yet know if one person or a group of people is responsible. "This is not someone who figured out how to get in through in through the internet," said Haley. "This is somebody that joined the conversation."
That conversation, according to the governor, is the communication that takes place between the DOR's branches across the state.
Etter said Tuesday that the person or persons who hacked into the system had credentials to get in. Approximately 250 people have to se credentials.
When asked why the state waited so long to go public with the breach and subsequent investigation, Keel said law enforcement made a "decision that we believe was in the best interest of the citizens to make it public."
After the news conference, Haley spokesperson Rob Godfrey said the state is going to encrypt all Department of Revenue files in the next 60-90 days.
To set-up the free one-year credit monitoring system through the Dept. of Revenue call: (866) 578-5422. You can also go through the process online here: http://www.protectmyid.com/scdor by using the code: SCDOR123.
Residents who have filed taxes with the state of South Carolina since 1998 are eligible for one year of free credit monitoring and, if compromised, fraud resolution for life.