South Carolina
Table of Contents
- Identity Theft Statistics
- Top Ten Report Categories
- Top Identity Theft Types
- Fraud & Other Reports by Metropolitan Area
- South Carolina’s Recent Biggest Data Breaches
- What Should You Do if You Are in a Breach?
- Step-by-Step Process for Responding to a Data Breach
- Responsibilities of Companies that Have Been Breached
- Laws
- Resources
Unauthorized access to personal or financial information costs South Carolina millions annually. In 2022, it incurred more than $100 million in damages, which is only set to increase. The state saw a 34.4% increase in fraud loss going into 2023 and currently ranks 21 in the number of data breaches nationwide. Fifty-one thousand six hundred-three residents in the state filed fraud reports, which is 1003 per 100,000 citizens. The most common cyber crimes in South Carolina include identity theft, hacking, malware, or ransomware. These targeted sectors in the state had the medical, retail, and entertainment industries.
Identity Theft Statistics
Reports
Reports
Losses
Top Ten Report Categories
Top Identity Theft Types
South Carolina's Recent Biggest Data Breaches
LoanDepot.com, LLC.
In January 2024, LoanDepot identified an incident that affected its systems. They immediately took mitigating steps to close the breach and contact the authorities. The organization also launched an investigation to assess the matter and determined that it occurred between January 3rd and 5th. Information obtained because of the breach included names, addresses, financial accounts, Social Security details, and phone numbers. There is no evidence at this time to show that the data was misused because of the incident, but LoanDepotoffered identity protection services for 24 months, along with credit monitoring for those who were affected. The breach affected 284,791 in the state.
Nationstar Mortgage LLC
In October 2023, the organization determined there was suspicious activity in its networks. Nationstar Mortgage initiated protocols to determine the nature and scope of the attack before contacting law enforcement. Nationstar also opted to shut down its systems to protect consumer information. From the investigation, the affected areas included names, addresses, phone numbers, birth dates, Social Security, and bank account details. The incident involved 228, 259 people. Nationstar also indicated they monitored the dark web and did not see evidence that data related to the incident was shared widely. Although there is no evidence that its information was compromised, the company offers the affected 24 months of identity protection. It also provided credit monitoring for impacted individuals.
Caesars Entertainment, Inc.
Caesars Entertainment Inc. experienced a systems breach following a social engineering hack on an IT support vendor. The company activated its incident response protocols and implemented remediation measures. Caesars Entertainment also launched an investigation and notified law enforcement concerning the incident. The assessment determined that data was accessed, including names, addresses, email addresses, license plates, birth dates, health information, and other biometric data. The organization also offers identity protection services, including credit and web monitoring, to those affected.
ROMWE
In September 2020, ROMWE discovered that their customer usernames and passwords had been revealed on the dark web following unauthorized access to their computer networks. The incident affected 102,148 South Carolina residents. Some information disclosed included emails, phone numbers, or other optional data stored. ROMWE responded by increasing password encryption and using advanced intrusion detection technology. In some cases, they forced password resets for all potentially affected clientele. Potentially affected clientele can access identity theft protection services and a $1,000,000 insurance reimbursement policy.
Medical University of South Carolina Data Breach
BlackBaud, which is an external vendor for the Medical University of South Carolina, was notified of a data breach in July 2020. The unauthorized party accessed and removed information used by MUSC for fundraising and donation. That is, names, contact information, birth dates, relationships, and donation histories. MUSC reviewed all relevant practices and procedures concerning personal data and reported security changes it had implemented. Blackbaud also indicated that it had identified the access point and took action to fix the problem. It is also hardening its environment through enhancements to management and networks.
What Should You Do if You Are in a Breach?
Unfortunately, data breaches are pretty common now, considering our online connections and dependence on digital service delivery. Criminals work in the shadows to steal your personal information, so sometimes, it's only when you notice certain signs that ongoing fraud becomes apparent. These danger signs apply to both individuals and businesses.
Unfamiliar
Credit Card Charges
If you find unauthorized transactions on your credit card, there is a significant possibility your phone number, email address, or card number has been compromised.
Calls from
Debt Collectors
Phone calls or letters from collection agencies seeking debt payment for a loan you do not remember taking are also signs of identity theft.
New Credit Cards
or Loans in Your Name
A new line of credit in your name or a loan taken is a warning sign you are a victim of identity theft.
Surprise Credit
Score Drops
Sudden credit drops with no obvious cause are a sign of suspicious activities.
Unusual Activity on Your
Social Security Account
The federal government also considers social security numbers personal identifiers, so check your social security statement regularly to ensure no one has access to benefits without consent.
Inability to
Sign-in to Accounts
If you are locked out of the account, it is usually because someone has hacked into it and changed the password. You should immediately try all possible recovery options and contact customer support if all fails.
Step-by-Step Process for Responding to a Data Breach
Contact Local Law Enforcement
As an individual or a business, report the incident to the police and file a police report.
Assess and Secure Compromised Areas
Identify which aspects of your information have been affected, such as emails, passwords, credit card numbers, social security numbers, full names, and phone numbers.
Contain the Breach
Isolate the affected system to prevent further damage.
Create New, Strong Passwords for All Accounts
This may involve changing usernames and passwords for compromised platforms, using strong passwords with a mix of upper and lower-case letters, digits, and special characters.
Notify Affected Institutions
Inform your bank, credit card companies, and other affected institutions. Request they close or freeze any accounts that may be implicated in the breach to reduce financial risk.
Update Security on Digital Accounts
Change passwords for all accounts affected by the breach. Make sure each password is totally unique, and you use two-factor verification as an additional layer of security.
Check for Malware
Examine your computers and mobile devices for installed malware. Install robust antivirus software to detect and remove any viruses or malicious software.
Freeze Your Credit
In cases of identity theft, contact all credit bureaus to freeze your credit.
Monitor Your Mail and Credit Reports
Keep an eye out for any unauthorized changes in your mail.
Engage Legal Assistance When Applicable
If you are a business, consider hiring a law firm experienced in handling data breaches.
Responsibilities of Companies that Have Been Breached
Businesses or individuals with personal information must disclose data breaches to the affected individuals. The entities may have to notify certain institutions depending on the number of those impacted by breaches. For example, if the breach affects more than 1,000 South Carolinians, the entity has to notify the Department of Consumer Affairs by providing a copy of the issued notice. The same will also be given to the state attorney general. It must also be done in the most expedient time possible and without unreasonable delay. A delay can only be permitted when the notification interferes with a law enforcement agency's investigation.
Businesses that handle personal data they do not own are also required to notify the owners or licensees of a breach of security of this data when it is revealed. That is, if there is reasonable cause to believe an unauthorized party has breached data. Entities that create and follow their own notification processes when it comes to data breach notification will be found to comply with the statute's requirements. That is provided it has been done expediently, and they notify the affected people using the prescribed methods.
Permitted ways of notifying affected citizens include written, electronic, or telephonic notices. It is allowed for an organization in the state to issue a substitute notice if the number of people affected is more than 500,000 or the cost of issuing notices exceeds $250,000. Similarly, if the business does not have enough contact details concerning those directly affected, it is possible to give a substitute notice. This can be done by advertising the notice on its website. The organization can also notify major statewide outlets concerning the data breach.
Laws
- South Carolina Financial Identity Fraud and Identity Theft Protection Act - The act includes consumer protections regarding credit reports, disposal, and security breaches. It also places a requirement on businesses concerning maintenance collection and personal information.
- The Data Security Act in South Carolina defines the requirements for licensees and sets standards for data security as well as investigation following a breach event.
- South Carolina Insurance Data Security Act - This act covers the definitions of a data security breach, notification obligations, when to notify consumer reporting agencies, third-party or agency notifications, and associated timing.