COLUMBIA, S.C. (AP) — South Carolina used the same standards as banks and other private institutions when it decided not to encrypt Social Security numbers and other information on a database of state tax returns that was accessed by a hacker, Gov. Nikki Haley said Monday.
Up to 3.6 million returns from as far back as 1998 may have been compromised by the international hacker, who likely penetrated the Department of Revenue's system a month before the breach was detected by the U.S. Secret Service.
"The industry standard is most Social Security numbers are not encrypted. A lot of banks don't encrypt," Haley said. "It's very complicated. It's very cumbersome. There's a lot of numbers involved with it."
Investigators are still trying to determine how much information was taken by the hackers. Tax returns can include names, address, Social Security numbers and bank account information.
Online security experts recommend encryption of any sensitive data, which scrambles the information so it cannot be easily read by outsiders.
But encryption costs money and takes time, so governments and other organizations often don't use it.
'You'd be surprised at the lack of security in some organizations. Sometimes they don't have a lot of care around information that is very personal," said David Kennedy, founder of information security consulting company TrustedSec.
The state is offering free credit monitoring to anyone affected. Haley said Monday that more than 450,000 people have swamped a phone bank and more than 150,000 people have signed up for the monitoring since it started Friday. People reported impossibly jammed lines the first day, but Haley said the call center now has 300 operators and wait times are down to less than 15 minutes.
The governor said how much money the state spends on the credit monitoring has not been determined because the government is still negotiating with Experian over how much to charge per person. The monitoring will also cover any children whose Social Security numbers were listed on their parents' tax forms
Haley said no one from the Revenue Department has been disciplined over the hacking incident.
Monday's news conference didn't release many new details about the hacking scheme. State Law Enforcement Division Chief Mark Keel said his agents are working with federal officials to pinpoint the person responsible and figure out exactly what information was taken and how it might be used.
Haley called the hacker a "sophisticated intelligent criminal" and said the way he obtained access to the tax returns was "unbelievably creative."
Keel refused to go into details, but said almost all databases are vulnerable these days.
"I don't think any governmental organization or corporate organization is immune from it. Unfortunately, it is the environment we live in today," Keel said.
But Kennedy and other security experts said that shouldn't be the case. Especially troubling was how it took around a month from the time the hacker entered the system and accessed the data to the time the breach was discovered.
"You definitely should have been able to stop this attack. And if they got around your system, you definitely should have been notified quicker the information was being extracted," Kennedy said.
Hackers are getting more sophisticated and are poking in systems for months to find out how vulnerable they are before they strike, said Tom Kellermann, vice president of cyber security for computer security company TrendMicro.
South Carolina recently audited its database security after a state employee was charged with stealing Social Security numbers from more than 228,000 Medicaid patients in April. But Kellermann said that likely did nothing to stop the most recent attack.
"Checklist exercises are not sufficient to the threats we are facing today," Kellermann said.
Haley said she will consult with experts and conduct another computer security sweep after the latest hacking episode.
The governor said she knows how South Carolina taxpayers feel because she was a victim of identity theft before. She and her husband discovered a maxed-out credit card under their names going to a different address.
"Trying to get that scrubbed off of our credit report took four or five years," Haley said. "And in the process we had to deal with higher interest rates and we had to deal with credit issues and all of those things."