South Carolina’s response to what experts call the nation’s largest-ever hacking of a state agency should be more than a year’s worth of credit monitoring for the nearly 5 million people and businesses exposed by the fiasco. Unfortunately, taxpayers will end up paying the tab for this “free” service from the state government.
In September, hackers stole electronically filed tax returns for more than 3.8 million consumers and 657,000 businesses from the S.C. Department of Revenue. The stolen tax records dated to 1998 and included personal information for 1.9 million dependents – Social Security numbers, 3.3 million bank account numbers and 5,000 expired credit card numbers.
The cleanup has cost $25 million so far, including $12 million for a year’s worth of credit monitoring by the firm Experian. The contract with Experian – signed under a no-bid, emergency situation – accounted for the single largest bill.
The enrollment period for the service was extended two months to give more people a chance to sign up. But by the March 31 deadline, only about 1.5 million South Carolinians had enrolled. Those who signed up have until May 31 to register their children if they qualify.
But lawmakers appear likely to extend the monitoring service, which seems appropriate. Many of those whose information was hacked remain vulnerable to exploitation.
A state Senate bill would offer protection for 10 more years. Experian has offered to provide the state an additional year of credit monitoring for $10 million.
The state House bill would pay for another year of credit protection.
It might be unreasonable to expect the state to continue monitoring records until all risk to individuals and businesses has been eliminated. But the state is responsible for ensuring its records are secure, and it is obligated to provide reasonable protection for those whose records were hacked.
While these services are provided at no cost to the victims, the continued protection ultimately could cost taxpayers tens of millions of dollars.
In addition to protecting those who were hacked, it is imperative the Legislature and state agency heads take steps to make sure this doesn’t happen again. That should include upgrading the security of the state’s computer systems, requiring all agencies to use the same security measures and requiring routine consultation and oversight of all systems by security experts contracted by the government.
With hindsight, it is evident with greater coordination among agencies and central oversight of computer operations, this disaster might have been avoided. The state needs to do what’s necessary to repair the damage and build a better firewall for the future.