Most South Carolinians no doubt have heard of identity theft. More than a few have had their computers hacked or their credit card information stolen.
But now, because of a breach of security at the state Department of Revenue, millions of residents and hundreds of thousands of businesses are victims of identity theft. Overseas hackers apparently used state-approved credentials to access DOR’s computer in September and take up to 4.25 million state tax records of individuals and businesses, and 387,000 credit card numbers.
Only 16,000 of the credit card numbers were encrypted. And anything on a tax form, including checking-account information used for direct deposit, has been exposed.
The DOR now is encrypting data in its system. The department is considering not holding tax data for so long. And Gov. Nikki Haley has asked the state inspector general to review technology polices at state agencies and come up with a list of suggestions about how to better ensure security.
All that amounts largely to closing the barn door after the horse is loose.
As for acting to protect the millions of consumers who might be affected by the theft, state officials have encouraged people to enroll in a private security service from the Experian firm. Consumers can receive one year of credit monitoring and up to $2 million in insurance and lifetime credit-fraud resolution, paid for by the state.
Businesses can get free lifetime credit-report monitoring from two companies. Both businesses and individuals can pay for extra protection if they choose.
Details of this security breakdown still are filtering out since the public was informed two weeks ago. With the possibility that information about personal accounts will be sold internationally via underground Internet sites, the full extent of the damage might not be known for years.
While credit cards can be canceled, changing Social Security numbers is considerably more complicated. And if thieves got account numbers from financial institutions, tax returns and other documents, consumers might have difficulty restoring their personal security.
Until we know more, it is difficult to gauge whether the state’s response is adequate. But we do worry that most of the onus has been placed on individuals to register for security protection, even though the state is picking up the tab.
The state has encouraged consumers to enroll online, but many South Carolinians aren’t adept at using computers for that purpose. And what about those who simply don’t get the word that they need to take advantage of this service? Deadline for signing up, by the way, is Jan. 31.
It seems more appropriate for the DOR to take primary responsibility for its lax security and ensure that all those affected by the theft are covered by credit-reporting agencies. The responsibility should lie with the state, not the victims.
The state also should create an agency to aid those who lose money because of this security breech, especially if credit card companies are hounding them to pay back the stolen money. The victims also should have help from the state in clearing their records.