Tens of thousands of people had data compromised in St. Lucie County Tax Collector hack
ST. LUCIE COUNTY — The amount of sensitive data accessed by a hacker group from the St. Lucie County Tax Collector's network is greater than initially thought, Tax Collector Chris Craft confirmed Tuesday.
Since Craft's office stores no sensitive data locally, he and his team initially thought the most-sensitive data taken was limited to a small number of driver's licenses that may have been scanned and temporarily stored when the hack took place.
However, further forensic investigation has found that more than 22,000 individuals likely had their driver's license numbers taken, and about 1,000 people's Social Security numbers were vulnerable, Craft said.
The 22,403 driver's license or identification-card numbers were on a years-old file in the tax collector's system that, according to Craft, mistakenly never was deleted.
"This is old data that we thought we had deleted from all of our files, but there was a backup that we did not delete. We've since changed our policy in the way that we manage all this data," Craft said. "For whatever reason, this particular file was overlooked."
About 21,000 of the affected individuals still live in Florida, Craft said.
Others, though, have moved. The Tax Collector's Office last week notified affected individuals as well as officials in states where they reside. The Maine Attorney General's Office, for example, posted a notification Friday indicating 21 residents there were among about 1,000 out-of-state individuals impacted. A spokesperson for the Maine Attorney General's Office said Tuesday that it posts any reports of breaches immediately to its website, and those do not indicate an investigation or legal action.
More: Hacker gang claims St. Lucie County breach, tax collector says sensitive info not at risk
More: Some services still offline as network issues continue for St. Lucie County, tax collector
More: St. Lucie Sheriff's Office unable to provide records, reports after almost three weeks
The Social Security numbers came from a different source. A document that is filed when individuals declare bankruptcy is meant to be submitted to the Tax Collector's Office in a redacted form, Craft explained, but after review of files it became clear that a small percentage of those documents had non-redacted Social Security numbers.
"We get notice of that bankruptcy, and on that notice they send us — inadvertently, they shouldn't be, it should be redacted — the customer Social Security numbers. The vast majority of them are redacted," Craft said. "It's a much much much smaller number than the 22,000. If I'm not mistaken, it's less than 1,000 folks."
When the hack occurred, in October, and again when notorious ransomware gang ALPHV, also known as BlackCat, claimed responsibility, Craft assured residents that sensitive data is not stored locally.
"There has been information that was copied. People do have information," Craft said in November. "The biggest thing that we want to stress to the public is that we don't store their sensitive data on our network."
Just how sensitive driver's license are is up for debate. According to the Identity Theft Resource Center, driver's licenses are "personally identifiable information" that can be used in combination with other data to fraudulently verify one's identity.
That said, Craft said those numbers are not particularly useful to an identity thief, at least not on their own.
"Frankly, people give the driver license numbers every day to everybody," Craft said. "It isn't a big deal. I guess it could be but it's not life and death. No one's using this (alone) to wreck your credit."
Social security numbers, on the other hand, are one of the most common tools used in identity theft. Craft said he does not know for certain that the roughly 1,000 vulnerable Social Security numbers were accessed by the hackers, but his office is offering one year of free credit monitoring to any of the affected individuals. The direct notification process for those individuals is ongoing.
"To be frank, we can't guarantee that the data was actually taken," Craft said. "Out of an abundance of caution, we're taking this approach and notifying the people so that they can make arrangements."
Employees at the Tax Collector's Office also had sensitive information taken, Craft pointed out.
Craft said all individuals should utilize credit monitoring services and consider taking extra precautions such as locking credit directly with credit reporting agencies.
The hack at theTax Collector's Office coincided with a network outage at offices overseen by the St. Lucie County commissioners. At the time, county spokesperson Erick Gill said, the network was taken offline due to "an abundance of caution" after "suspicious activity" was noticed by staff. A network outage, which Gill described as "separate from ours," occurred a week later at the St. Lucie County Sheriff's Office, preventing it from processing records requests, including for traffic citations.
Wicker Perlis is TCPalm's Watchdog Reporter for St. Lucie County. You can reach him at wicker.perlis@tcpalm.com and 504-331-0516.
This article originally appeared on Treasure Coast Newspapers: See latest St. Lucie County Tax Collector says on hacked personal info