Who Stole 3.6M Tax Records from South Carolina? – Krebs on Security

For nearly a dozen years, South Carolina residents have been kept in the dark by state and federal investigators about who was responsible for hacking the state’s revenue department in 2012 and stealing tax and bank account information for of 3.6 million people. The answer may no longer be a mystery: KrebsOnSecurity has found compelling clues that suggest the intrusion was carried out by the same Russian hacking crew that stole millions of payment card records from at big box retailers such as. Home Depot and Batas in the following years.

Questions about who stole the tax and financial data of nearly three-quarters of all South Carolina residents led last week’s confirmation hearing to Mark Keelwho was appointed in 2011 by Gov. Nikki Haley to head the state’s law enforcement division. If approved, it would be Keel’s third six-year term in that role.

The Associated Press reports Keel was careful not to release too many details about the breach at his hearing, telling lawmakers he knew who did it but he wasn’t ready to name anyone.

“I think the fact that we didn’t get a lot of information on the people who were violated is a testament to the work that people did on this case,” Keel said.

A ten year retrospective published in 2022 by The Post and Courier in Columbia, SC said investigators determined the breach began on August 13, 2012, after a state IT contractor clicked on a malicious link in an email. State officials said they learned about the hack from federal law enforcement on October 10, 2012.

KrebsOnSecurity reviewed posts on several cybercrime forums during that time, and found only one instance of someone selling large amounts of tax data in the year surrounding the date of the breach.

On October 7, 2012 – three days before South Carolina officials said they first learned of the intrusion – a notorious cybercriminal continued to manage “Rescuer“advertises the sale of “a database of the tax department of one of the states.”

“Bank account information, SSN and all other information,” Rescator’s sales thread on the Russian-language crime forum Embargo read. “If you buy the entire database, I’ll give you access to it.”

A week ago, Rescator posted a similar offer on an exclusive Russian forum Mazafaka, saying he sold information from a US state tax database, without naming the state. Rescator said the data disclosed included employer, name, address, telephone, taxable income, amount of tax refund, and bank account number.

“There is a lot of information, I am ready to sell the entire database, with access to the database, and in parts,” Rescator told Mazafaka members. “There is also information on corporate taxpayers.”

On October 26, 2012, the state announced the breach to the public. State officials said they were working with investigators from the US Secret Service and digital forensics experts from Mandiant, who created an incident report (PDF) which was later published by the South Carolina Dept. of Revenue. KrebsOnSecurity requested comment from the Secret Service, South Carolina prosecutors, and Mr. Keel. This story will be updated if any of them respond.

That Nov. 18, 2012, Rescator told forum members Prove he sold a database of 65,000 records containing bank account information from several smaller, regional financial institutions. Rescator’s Verified sales thread lists more than a dozen database fields, including account number, name, address, phone, tax ID, date of birth, employer and occupation.

Asked to provide more context about the database being sold, Rescator told forum members that the database includes financial records related to tax filings in a US state. Rescator added that there is a second database of nearly 80,000 corporations that includes social security numbers, names and addresses, but no financial information.

The AP says South Carolina paid $12 million to Experian for identity theft protection and credit monitoring for its residents after the breach.

“At the time, it was one of the largest breaches in US history but has since been surpassed by hacks at Equifax, Yahoo, Home Depot, Target and PlayStation,” the AP’s Jeffrey Collins wrote.

As it happens, Rescator’s criminal hacking crew was directly responsible for the 2013 breach of Target and the 2014 hack of Home Depot. Target saw the cybercrime shop entry of Rescator selling nearly 40 million stolen payment cards, and 56 million cards from Home Depot customers.

Who is the Rescuer? On December 14, 2023, KrebsOnSecurity published the results of a 10-year investigation into the identity of Rescator, aka Mikhail Borisovich Shefela 36-year-old who lives in Moscow and recently changed his last name to Lenin.

The statement of Mr. Keel that somehow the efforts of South Carolina officials after the breach could have lessened its impact on citizens seems unlikely. Stolen tax and financial data appears to be sold openly on cybercrime forums by one of the most aggressive and successful hacking crews in the Russian underground.

While there are no indications from a review of the forum posts that Rescator is selling the data, his sales threads come at a time when the incidence of tax refund fraud is skyrocketing.

Tax-related identity theft occurs when a person uses a stolen identity and Social Security number (SSN) to file a tax return in the name of the person claiming to be one. fraudulent refund. Victims often first learn of the crime after their returns are rejected because the scammers beat them to it. Even those who are not required to file a return can be victims of refund fraud, such as those who are not actually owed a refund from US Internal Revenue Service (IRS).

According to a 2013 report from the Treasury Inspector General’s office, the IRS issued nearly $4 billion in bogus tax refunds in 2012, and more than $5.8 billion in 2013. The money was often sent to people who stole SSNs and other information on US citizens, and then filed fraudulent taxes. returns to individuals claiming a large refund but to a different address.

It remains unclear why Shefel has not been officially implicated in the violations at Target, Home Depot, or in South Carolina. It could be Shefel THERE charged, and that those charges remain sealed for some reason. Perhaps prosecutors are hoping that Shefel will decide to leave Russia, where it will be easier to arrest him if he believes that no one is looking for him.

But all indications are that Shefel is deeply rooted in Russia, and has no plans to leave. In January 2024, authorities in Australia, the United States and the UK imposed financial sanctions against a 33-year-old Russian man Aleksandr Ermakov over the alleged data theft of 10 million customers of Australian health insurance giant Medibank.

A week after the sanctions were imposed, KrebsOnSecurity published a deep dive into Ermakov, which found that he co-founded a Moscow-based IT security consulting business with Mikhail Shefel called . Shtazi-IT.

A Google-translated version of Shtazi dot ru. Image: Archive.org.

Leave a comment