So Your Social Number Has Been Stolen… But How?
Recently the State of South Carolina announced that the SC Department of Revenue site was hacked. They revealed that the attackers got away with over 375,000 credit card and debit card numbers (of which roughly 16,000 were unencrypted) and 3.6 million social security numbers (all unencrypted).
One has to ask why any organization that stores sensitive information like this would store it unencrypted to begin with. There are standards in place for financial institutions that store credit card information and these standards set certain requirements that must be met in how these numbers are encrypted. What happens to them when someone gains unauthorized access to their systems and manages to obtain some of these credit card numbers? You can read about new cases of this happening every day across the country, so obviously these places must either not care enough to protect this data or not know how to protect it. At this point, this is something that every organization should be aware of. The excuse of not knowing better is no longer a valid excuse in my opinon. It is completely inexcusable for any organization (especially a government agency) to continue to make these blatant errors in the handling of sensitive data.
It was a virtual payday for those who were able to obtain these millions of social security numbers and thousands of credit card numbers, but the fact that they were already unencrypted is icing on the cake for those who now have them. The majority of the credit card and debit card numbers that were obtained were encrypted, so this raises the question, “Why not all of them?” Are the credit card numbers more important than the millions of social security numbers? Apparently they are as far as the SC Department of Revenue is concerned since they didn’t even bother to encrypt them at all.
So What Happens Now?
They have said that they know where the attack originated from, but don’t want to release that information since there is an ongoing investigation. This is good – they wouldn’t want to tip the people off that they are coming. Who’s to say that when they catch these people, however, they will have the data with them? Would you? Or would you have made copies of it and stored them remotely somewhere else? Or sold them as soon as you got them?
You can call 1-866-578-5422 to see if you are in the list of over 3/4 of the residents of South Carolina who’s data was compromised. It might take a few days for you to get through due to the high number of other people who are calling also. You will get an activation code there (for convenience, the code is the same for everyone – “SCDOR123”). Then you will need to go to http://www.protectmyid.com/scdor and enter that code along with some other information to determine if you are on the list of those affected. If you are on that list, they have offered to provide you with a year of credit monitoring and ID theft protection. This will be good for the first year, but what then?
You will probably start seeing ads soon by people and businesses who are guaranteeing you that they can monitor and protect your identity. All you have to do is provide them with enough information to “verify you are who you say you are”. While this gives them enough information to protect your identity, it also provides them with everything they need to take your identity as well. If you are going to be giving this information out, make sure that it is a reputable company rather than someone who is trying to take advantage of people.
Here is the contact information for the three major credit bureaus. You can contact them and place fraud alerts and a security freeze on your information if you think that it has been compromised. You are also normally allowed one free credit report per year from them.
Another thing that everyone should do is set up a Google alert for their name. This won’t help much if someone tries to open an account using your information since the search engines are not able to access that data, but it does help you keep an eye out for anything that’s posted online about you. It’s a free and simple way for individuals to monitor their reputation online. If you do not already have a Google alert set up for your name and would like to find out exactly how to do this you can find an article that we posted here that explains it step-by-step.