An estimated 387,000 credit cards and 3.6 million Social Security numbers have been exposed after the breach of a server holding taxpayer and card information for South Carolina residents.
Officials with the state's Department of Revenue confirmed the breach and the fact that, of the credit cards, 16,000 were stored without encryption. State Law Enforcement Division Chief Mark Keel said during a press conference late Friday that the investigation so far had revealed the breach occurred as early as August 27, and had confirmed that the IP address through which the attack originated was foreign.
With the investigation ongoing, Keel said "no further information regarding specifics of the investigation will be released at this time," as the disclosure of more information could hinder efforts to bring the hacker to justice.
South Carolina Gov. Nikki Haley appointed Inspector General Patrick Maley to examine the state's information security measures. The first move will be to establish a full time task force to examine each of the state's systems.
Haley stated that she wants the person held accountable for their actions, and "slammed against the wall."
"It's no longer about just inside hackers, it's about international hackers," she said. "Our state will respond with a big, large-scale plan that is somewhat unprecedented, to take care of this problem."
As part of the response, independent information security company Mandiant was hired to provide advice on how to proceed. Mandiant Director Marshall Heilman said that its first steps were to remove the attacker's known access, deter the attack with additional security measures and enhance the systems' logging to enable law enforcement to detect if the attacker returned.