CHARLESTON — Stolen files like the data from 3.6 million hacked South Carolina tax returns is quickly sold on the Internet black market and chances of finding whoever did it are slim, one of the world’s leading cyber security experts says.

“Credit card numbers themselves end up being sold in batches of 1,000, 10,000, 100,000 in online underground forums and just being passed around the world,” said Michael DuBose, former chief of the U.S. Justice Department’s computer crime section.

Social Security numbers are sold in the same way, DuBose told The Associated Press. DuBose now works for international cyber security company Kroll.

The 3.6 million hacked personal income tax returns were filed since 1998 and included Social Security numbers and about 387,000 credit and debit card numbers, 16,000 of which were not encrypted. The cyber thief also took data from up to 657,000 business filings.

During DuBose’s time at Justice, the department handled some of the nation’s biggest computer theft cases. They included the prosecution of Albert Gonzalez, who was sentenced in 2010 to 20 years in prison for a scheme that stole information from tens of millions of credit and debit accounts, resulting in at least $200 million worth of fraud.

“I used to say that maybe the best protection you have as a credit card holder is the fact that there are so many credit card numbers being traded out there on the underground forums that, just with the pure numbers, it makes it less likely yours will come up,” said DuBose, who declined to comment specifically on the South Carolina case.

State officials say they don’t know precisely whose information was exposed, nor do they know exactly how many people were affected. The announced figures represent tax returns, which can include more than one Social Security number for those filing jointly and with dependents. They also likely represent duplicates over years of filings.

Officials also don’t know if Social Security numbers were linked to addresses or, in the case of people getting a direct-deposit tax refund, bank routing numbers. They don’t know if only certain types of businesses were accessed or what type of business data was taken.

“We will be able to tell you more later,” Gov. Nikki Haley said Monday. “To tell you now would be guessing.”

That’s why South Carolina officials are urging all taxpayers to check their accounts and get a free year of credit monitoring through an Experian service paid for by the state. Haley said the Experian service will cost the state no more than $12 million. Business owners could begin signing up Friday for a separate monitoring program through Dun & Bradstreet. It will be free to the owners and to the state.

Authorities have said the hacker used an international IP address, but DuBose said that may be deceptive. He said it’s getting easier for hackers to hide in cyberspace.

“If you trace an IP address, which may make it appear it’s coming from eastern Europe, that may just be a proxy being used by someone on the other side of the world,” he said.

A Federal Trade Commission attorney said the selling and trading of stolen information makes it virtually impossible to trace an identity theft case to any particular security breach.

“The reality today is consumers’ information is all over the place. You have no idea whether it was due to a particular hack or if somebody else picked up the information,” said Steven Toporoff, attorney for FTC’s division of privacy and identity protection. “It’s difficult to trace back and very difficult to predict a timeframe.”

Why would an international hacker target a small state in the American South?

“The reality is that hackers will go after low-hanging fruit before they go after victims that are harder to breech in many cases,” DuBose said. “Systems that are not as well protected as others are going to be more vulnerable because hackers don’t necessarily want to spend the time or the effort.”

Much criticism has arisen about the South Carolina information not being encrypted.

Best practices would require personally identifiable information to be encrypted both in transmission and in archiving, DuBose said.

“If you no longer need data stored on a system but you may need access at some time in the future, you can archive it to a removable media and take it offline,” he said. “As a principle, if you don’t need the data day to day, you should either get rid of it or put it on a removable media or a lockdown, secure server.”

Archiving it in such a way does make access for the agency more cumbersome.

“It’s an inverse relationship between accessibility and security. The more accessible you make it, the less secure it’s going to be,” he said.


Associated Press writer Seanna Adcox contributed to this report.