Protect Yourself from ID Theft After SC Security Breach

What should the 3.6 million South Carolinians whose personal information was stolen by hackers do to protect themselves now?

More than 3 million South Carolina residents are asking, "Now what?"

They're getting a crash course in dealing with identity theft following Friday's revelation that a foreign hacker stole 3.6 million Social Security numbers and 387,000 credit card numbers from a S.C. Department of Revenue database.

State officials say the database that was hacked contained personal information belonging to taxpayers stretching back 14 years.

So now that just about everyone who has filed a S.C. tax return since 1998 is a potential victim of identity theft, how should they go about trying to protect themselves?

First, you need to call the phone number the state has set up (1-866-578-5422) to find out if your information was stolen. If so, you'll get to sign up for the year of credit monitoring and identity theft protection Gov. Nikki Haley said the state would provide for anyone affected.

Residents can choose to receive alerts via the U.S. Postal Service or through an online system. Those who select the online option will receive an activation code for the online system.

Many who tried to call Friday afternoon heard a recorded message telling them to call back later because of high call volume, but Haley spokesman Rob Godfrey said via email late Friday that, "we have increased and are continuing to increase the number of people assisting South Carolinians who call the call center."

The phone line will run 9 a.m. - 9 p.m. Monday - Friday, and 11 a.m. - 8 p.m. Saturday and Sunday.

The Federal Trade Commission also suggested that people closely monitor their bank and credit card statements, and regularly check their credit report through all three major credit bureaus, in addition to several other steps to detect identity theft.

For people who suspect their information has been stolen, the FTC also suggests placing a fraud alert on their credit report. Finally, people also may file a complaint with the FTC.

People can perform a number of the tasks that identity-theft protection services offer, though it can be time consuming. For some people, saving that time is worth the monthly cost of such a service. While the state will provide a year of Experian's ProtectMyID service, there are many companies that offer similar services. TopTenReviews.com ranked 11 of them on a multitude of categories (two of which scored higher than ProtectMyID).

However, no identity protection service is perfect, nor can they protect against every possible threat. The FTC cautioned consumers to research identity theft protection services before signing up for one, and to make sure they know exactly what they are paying for.

For the DIY Crowd

As PCWorld writer Nick Mediati notes, most identity theft protection services don't offer anything people can't do on their own for free or little cost. The services are mostly offering convenience.

For those that want to do their own identity protection, several resources are available.

The FTC notes that consumers are entitled to two kinds of fraud alerts; an initial alert, and an extended alert.

Consumers can request an initial fraud alert on their credit report if they suspect their personal information has been compromised, for example if a hacker stole their Social Security number and credit card information from a state database. Initial fraud alerts last 90 days, but can be renewed. Placing an initial fraud alert on a credit report entitles the consumer to request a free copy of his or her credit report from each of the credit reporting agencies (Equifax, Experian and TransUnion).

Consumers only need to contact one of the agencies to request a fraud alert, because each is required by law to inform the others.

Consumers who have already been victims of identity theft can request an extended fraud alert that lasts seven years. Consumers who request an extended fraud alert on their report are entitled to two free credit reports from each of the agencies within a single 12-month period.

Consumers can also place a security freeze on their credit report that will restrict companies from accessing a person's credit report without his or her express permission.

To place a security freeze on your credit report you will need to contact each of the reporting agencies and provide the following information:

  • Full name (including middle initial, Jr., Sr., II, III, etc.)
  • Social Security number
  • Date of birth
  • Address (include all previous addresses in the preceding two to five years, depending on the specific credit-reporting agency requirements)
  • Proof of current address (utility or phone bill will suffice)
  • Photocopy of government issued identification (driver's license or state ID card)

Finally, everyone is entitled to one free copy of his/her credit report from each of the three reporting agencies each year, which can be requested via www.annualcreditreport.com.

Tom Utley October 30, 2012 at 01:24 PM
As a computer engineer I can tell you with 100% confidence that there is no reason, and I mean absolutely no reason, that the data shouldn't have been encrypted. This is an absolute and total failure of the government to adequately handle personal information, but what should we expect? That's what government does: fail. In any system like this, you have three parts: The data, the application, and the presentation. The presentation could be a web page or a computer terminal. The application is the software that processes the data. It adds new stuff, deletes stuff, creates reports, etc. The data is usually stored in a database and this is what got hacked into. Now, on day 1 of any software developer's career in the voluntary sector (working for a company as opposed to the government) they are told that any time they store sensitive information, the application must encrypt the data before putting it into the database. So all that you see in the database for sensitive fields is just gobbledy-gook. (A long string of numbers, symbols, and letters that doesn't look like anything recognizeable). Then the application contains the decryption method, which is only known to the application. This can be done many ways, but the principle is the same. Long story short, the data should have been encrypted, no excuses.
Mark Stevens October 30, 2012 at 08:39 PM
Now it seems that all they keep saying is SS#s But in seeing more than just what is being reported from the Gov's office the files that were hacked contained the Tax returns for the 3.6 million residents. Take a moment to think what was on your returns. If you had any intrest bearing accounts,those bank #'s are in there. Your Childrens SS#'s are in there. Everything is in there! An Identity thieves gold mine! And it doesn't sound like there is enough concern for what happened (imho) This is an outrage and a total lack of respect for us as SC citizens. And as far as not being encrypted I agree with Tom Utley. I'm no IT professional but it seems to me that someone dropped the ball!
Julia Sullivan November 05, 2012 at 10:33 PM
Excellent article. This unfortunate episode shines a spotlight the huge disparity between cyber finances and cyber security. I've written a piece on the S.C. Breach, including some tips for consumers to stay safe in the aftermath. http://creditcardselect.com/hackers-outpacing-financial-security-at-alarming-rate/
FugitiveSquirrel February 05, 2013 at 10:27 PM
So now, in FEBRUARY, we start getting confirmation that our information was among those hacked and stolen.
Shireese Bell February 05, 2013 at 11:24 PM
I just got the email today, too.


More »
Got a question? Something on your mind? Talk to your community, directly.
Note Article
Just a short thought to get the word out quickly about anything in your neighborhood.
Share something with your neighbors.What's on your mind?What's on your mind?Make an announcement, speak your mind, or sell somethingPost something
See more »