- Associated Press - Wednesday, October 31, 2012

CHARLESTON, S.C. — About 3.6 million tax returns from as far back as 1998 were hacked in South Carolina, and analysts said Wednesday it may be the largest cyberattack against a state tax department in the nation’s history.

State and federal officials are investigating the hacking they say may have started in August and was discovered last month. They say the vulnerability in the system has been fixed.

The 3.6 million tax returns filed since 1998 included millions of Social Security numbers and about 387,000 credit and debit card numbers that were also exposed, 6,000 of which were unencrypted. Tax information from businesses across the state may also have been accessed.

“I believe it might actually be the largest against a state government, but certainly of a state tax department,” said Paul Stephens of the Privacy Rights Clearinghouse based in San Diego.

“We’ve never heard of anything like this, so I think you can say that,” agreed Verenda Smith, the deputy director of the National Federation of Tax Administrators in Washington.

Gov. Nikki Haley, who has been holding daily news conferences on the situation, was to meet with reporters again late Wednesday.

Also Wednesday, a former state senator filed a lawsuit against the state Department of Revenue and the governor accusing them of failing to protect taxpayers.

Attorney John Hawkins is seeking class-action status hoping to represent all taxpayers whose Social Security numbers and credit card information was compromised.

He says the hacking of millions of personal records amounts to a class-five “cyberhurricane” and the state should have taken cost-effective steps to protect taxpayers’ information and notified the public sooner.

There have been bigger security breaches of information that could lead to identity theft in both the private sector and the federal government.

Private information for as many as 76 million veterans may have been compromised when a defective hard drive from the Department of Veterans Affairs was sent for recycling with the information on it.

The largest case of credit and debit card data theft in the nation occurred when a hacker, sentenced two years ago to 20 years in prison, swiped information on 130 million accounts.

One of the issues swirling around the South Carolina hacking is whether the information should have been encrypted.

“The question is wrong,” said Ms. Smith, whose agency provides services and training to state tax officials and agencies. “It’s not as simple as do you encrypt Social Security numbers. Everybody encrypts. It’s just a question of what stage it is and where it is.”

Information that is being transmitted or is on a portable device such as a hard drive or laptop is always encrypted.

Story Continues →