By Harriet McLeod
CHARLESTON, South Carolina (Reuters) - South Carolina Governor Nikki Haley sought on Monday to temper the anger and frustration of state taxpayers left wondering if their personal information was compromised by recent cyber attacks on computers belonging to the Department of Revenue.
Some residents also questioned whether state officials took too long to disclose that as many as 3.6 million Social Security numbers and 387,000 credit and debit card numbers may have been exposed to a foreign hacker in the security breach.
State police said on Friday that they had begun an investigation earlier this month into a series of computer system breaches that occurred since August, with officials adding they did not know how much personal information was obtained by the hacker.
"This wasn't an issue where anyone in state government could have done something to avoid it," Haley said. "This is a situation where a sophisticated, intelligent individual got into a database and is unbelievably creative in how he did it, and now we're having to deal with it."
Officials urged anyone who had filed a South Carolina tax return since 1998 to investigate whether their information was affected. They provided a toll-free number taxpayers could call to obtain a year of credit and identity theft protection from Experian, paid with state funds.
But callers said that over the weekend they got busy signals, recordings, no answer or were on hold a long time. Those who got through received a code number to use to enroll online for the theft protection. The number was the same for all callers.
On Monday, the Republican governor, who had said she wanted the hacker "slammed against the wall," announced the code number at a news conference in the state capital of Columbia and told people they could sign up directly online.
"You don't have to call today. You have until the end of January 2013 to call and it will be retroactive," said Haley, who said the hot line had received 455,000 calls and that 154,000 people had signed up for credit protection.
Of the data potentially exposed, all but 16,000 of the credit card numbers were encrypted, compared to none of the Social Security numbers, officials said.
The U.S. Social Security Administration says it does encrypt Social Security numbers and encourages organizations that maintain the numbers in their systems to consider doing so. But Haley said the industry standard was that most such numbers are not encrypted.
It could be weeks before investigators determine what information was compromised, said Mark Keel, chief of the state's Law Enforcement Division.
Keel said the decision to wait more than two weeks to notify the public about the cyber attacks was an investigative strategy. "By allowing us the time to conduct our investigation, we believe that this information is better protected than it would have been otherwise," he said.
Millie See, a retired school teacher who lives in Charleston, said she and her husband were among those who had failed to get through on the toll-free number, and she worried about the consequences.
"If you haven't signed up for protection, it means your information is still out there and people could use it," she said. "I think it's shocking when your own state cannot secure its own records."
(Editing by Colleen Jenkins, Cynthia Johnston and Philip Barbara)