The Associated Press reported the intrusion also revealed citizens’ tax returns, which commonly contain often more sensitive personal data, but couldn’t immediately be confirmed.
The breach, which took place in mid-September, followed a series of attempted intrusions beginning in August, said a press release.
State Department officials have acknowledged the data breach since October 16, and suspected an intrusion as early as October 10, but didn’t reveal it until Friday, just hours before the start of the weekend.
The underlying vulnerability that attackers exploited to access the state network was patched on October 20.
“The number of records breached requires an unprecedented, large-scale response by the Department of Revenue, the State of South Carolina and all our citizens,” Governor Nikki Haley was quoted as saying in the press release. “We are taking immediate steps to protect the taxpayers of South Carolina, including providing one year of credit monitoring of identity protection to those affected.”
Of the 387,000 payment cards exposed, almost 16,000 were encrypted using measures “deemed sufficient” under credit card industry standards, presumably a regard to the Payment Card Industry Data Security Standard,
which critics say does not go far enough in protecting account data.
With a state population of about 4.6 million, the exposure could affect as many as much as three-fourths of South Carolina citizens.