The theft of tax information from a South Carolina computer system appears to have been the largest cyberattack ever on a state government and has put other states on high alert, computer security experts say.
The state announced late last month that an international hacker had stolen 3.6 million Social Security numbers and 387,000 credit and debit card numbers. Now tax departments across the country are inspecting their own security systems.
"When one employee's laptop gets stolen, it's a big deal," said Verenda Smith, the deputy director of the National Federation of Tax Administrators. "So you can imagine the reverberations when this news came out."
Since 2005, at least 11 state tax agencies have faced security breaches, according to the Privacy Rights Clearinghouse, a consumer rights group. But most were caused by internal accidents, not attacks, and none were on this scale.
"As a cyberattack, this appears to be in a league of its own," said Beth Givens, the group's director.
The hacking has raised questions about whether South Carolina was unprotected or simply unlucky. Most of the stolen credit cards were encrypted, but the Social Security numbers were not. The computer system that was hacked did not have a free layer of security monitoring offered to all South Carolina agencies, according to the State Budget and Control Board.
In a lawsuit filed last Wednesday, a former state senator, John Hawkins, said the state had failed to protect taxpayers and had not reported the attack promptly. The tax agency detected the attack on Oct. 10 and, after notifying federal authorities, alerted the public on Oct. 26.
"Obviously these hackers picked South Carolina because it was vulnerable," Mr. Hawkins said. "I equate it to a burglar going into a neighborhood. He's going to break into the house with no alarms and the door open."
But South Carolina is hardly the first state to suffer a large-scale security breach. In Texas last year, Social Security records for 3.5 million people were inadvertently disclosed to the public on a computer server.
In Georgia in 2007, a computer disk containing personal information on 2.9 million people disappeared. At the federal Veterans Affairs Department in 2006, an employee lost a laptop and an external hard drive containing the Social Security records of 26.5 million active-duty troops and veterans.
Gov. Nikki R. Haley said that South Carolina had a state-of-the-art security system but that the hacker nevertheless found a way around it. Her office said on Friday that it was encrypting all tax files to reduce the harm if any were stolen, and that the process would be completed within 90 days. The state is paying up to $12 million to provide a free year of credit monitoring and identity theft prevention to anyone affected.
Last Wednesday, the state disclosed that tax records for 657,000 businesses had also been hacked.
Anyone who has filed a tax return since 1998 has been urged to contact state law enforcement officials. By last Thursday, 653,000 people had called the state's emergency hot line, and 521,000 had signed up for identity protection.
Within state governments, tax agencies face the highest risk for hacking, said Larry Ponemon, the founder of a security research firm, the Ponemon Institute. If stolen, their data can be used for tax fraud, credit card fraud and identity theft.
"This is the crown jewel for a cyberattacker: having the Social Security numbers, personal information and credit card for the same person," he said.
After the attack, state tax agencies, including in California, said they were monitoring their security particularly closely.
Michael Hicks, the director of the Maryland Cybersecurity Center at the University of Maryland, said states needed a clearer understanding of the attack in South Carolina.
"The only way states can raise the level of vigilance," Mr. Hicks said, "is if they really get to the bottom of what really happened in this attack."
This article originally appeared in The New York Times.