CHARLESTON, S.C. (AP) -- Millions of Social Security numbers and business records from tax returns as far back as 1998 were hacked in South Carolina and experts said Wednesday it may be the largest cyber-attack against a state tax department in the nation's history.
State and federal officials are investigating the hacking they say may have started in August and was discovered last month. They say the vulnerability in the system was fixed Oct. 20. The 3.6 million tax returns filed since 1998 included Social Security numbers and about 387,000 credit and debit card numbers that were also exposed, 6,000 of those unencrypted.
In her daily update Wednesday, Gov. Nikki Haley said up to 657,000 businesses have also been compromised.
"I believe it might actually be the largest against a state government, but certainly of a state tax department," said Paul Stephens of the Privacy Rights Clearinghouse based in San Diego.
"We've never heard of anything like this so I think you can say that," agreed Verenda Smith, the deputy director of the National Federation of Tax Administrators in Washington.
The state has agreed to pay Experian up to $12 million for taxpayers enrolling in a service that provides a year of credit monitoring. As of Wednesday, 418,000 people had signed up. Dun & Bradstreet Credibility Corp., has agreed to provide businesses a credit alert service at no cost to either business owners or the state, for the life of the business, Haley said. A website and toll-free number for that should be available by Friday.
Also Wednesday, a former state senator filed a lawsuit against the state Department of Revenue and the governor accusing them of failing to protect taxpayers. Attorney John Hawkins is seeking class-action status hoping to represent all taxpayers whose Social Security numbers and credit card information were compromised.
He says the hacking of millions of personal records amounts to a class-five "cyber hurricane" and the state should have taken cost-effective steps to protect taxpayers' information and notified the public sooner.
Haley, who opposed Hawkins' attempt this year to regain his Senate seat, discounted the lawsuit.
"There is a trial lawyer with a hand out and a tissue ready at any crisis, and he has just proven that," said Haley, who endorsed Hawkins' winning opponent for the June primary.
There have been bigger security breaches of information that could lead to identity theft in both the private sector and the federal government.
Private information for as many as 76 million veterans may have been compromised when a defective hard drive from the Department of Veterans Affairs was sent for recycling with the information on it.
The largest case of credit and debit card data theft in the nation occurred when a hacker, sentenced two years ago to 20 years in prison, swiped information on 130 million accounts.
One of the issues swirling around the South Carolina hacking is should the information have been encrypted.
"The question is wrong," said Smith whose agency provides services and training to state tax officials and agencies. "It's not as simple as do you encrypt Social Security numbers. Everybody encrypts. It is just a question of what stage it is in and where it is if it's not encrypted."
Information that is being transmitted or is on a portable device like a hard drive or laptop is always encrypted.
"If it's behind several fire walls and you're working on it, it might not be encrypted," she said, adding encryption makes the information more difficult for the information to be used by the agency. "It's hard to boil it down to any simplistic answer."
An agency survey of state revenue departments nationwide found that only four of the 16 departments who responded encrypt all data.
Stephens, director of policy and advocacy for the clearinghouse, a nonprofit consumer education and advocacy organization, said one way to protect information like that compromised in South Carolina is to minimize the amount of data that is being kept.
"If you are holding on to old data that is no longer essential to the operations of the department, you are unnecessarily putting people at risk. Why would you hold onto data of an individual who moved out of South Carolina a decade ago?" he asked.
State Revenue Director Jim Etter said the agency's policy is to keep records for 15 years, in the event of criminal cases that require them. However, officials are considering shortening that to 10 years, he said.
Stephens noted taxpayers are required to hand over personal information to the tax agency.
"The unfortunate part of this is you have no choice and a resident with income is going to have to file a return," he said. "There are things in life that are discretionary but this is not and one expects the government to be a good steward of the data entrusted to it."
Seanna Adcox contributed to this report from Columbia, S.C.