South Carolina’s 2012 Data Breach: Suspect Identified

“Notorious cybercriminal” alleged perpetrator of #SCHacked …

Getting your Trinity Audio player ready...

One of the top sources for cybersecurity news in the United States is pinning the blame for a massive data breach that rocked South Carolina over a decade ago on a “notorious” Russian hacker.

According to Brian Krebs of Krebs On Security, #SCHacked – the 2012 breach of the S.C. Department of Revenue (SCDOR) – was “carried out by the same Russian hacking crew that stole millions of payment card records from big box retailers like Home Depot and Target in the years that followed.”

The South Carolina breach resulted in the theft of tax and bank account information for 3.8 million people – and 650,000 businesses. More than 400,000 credit and debit card numbers were coughed up, too.

“The stolen tax and financial data appears to have been sold openly on cybercrime forums by one of the Russian underground’s most aggressive and successful hacking crews,” Krebs noted.

On Tuesday, Krebs reported a “notorious cybercriminal” named Rescator posted a message to a Russian-language crime forum on October 7, 2012 advertising the sale of “a database of the tax department of one of the states.”



“Bank account information, SSN and all other information,” was included in the database, according to his post on the Embargo forum. “If you purchase the entire database, I will give you access to it.”

A week later, Rescator made a similar post on Mazafaka – another Russian forum – announcing the sale of information from a “U.S. state tax database” containing “SSN, employer, name, address, phone, taxable income, tax refunded amount and bank account number” information.

“There is a lot of information, I am ready to sell the entire database, with access to the database, and in parts,” Rescator told Mazafaka members. “There is also information on corporate taxpayers.”

At the time the first solicitation was made, South Carolina officials had no idea there had even been a breach. They would not learn of the hack until three days later – on October 10, 2012 – when they were notified by U.S. Secret Service (USSS) agents in Atlanta, Georgia.

It would take another sixteen days before the breach was publicly announced by former governor Nikki Haley, whose administration terribly mishandled the crisis – and repeatedly lied to the public about the extent of the exposure.

So … who is Rescator?




According to Krebs, his name is Mikhail Borisovich Shefel, a 36-year-old Moscow resident who “is deeply rooted in Russia and has no plans to leave.” Shefel is affiliated with 33-year-old Russian Aleksandr Ermankov, who earlier this year was identified by American, Australian and British authorities as being responsible for the hack of Medibank, an Australian health care provider. That incursion resulted in the theft of 9.7 million patient records.

South Carolina law enforcement leaders – including Mark Keel, chief of the S.C. State Law Enforcement Division (SLED) – have acknowledged they know who perpetrated the 2012 hack. They have declined to identify the individual they believe to be responsible – and declined to answer questions about whether ransom payments were made to the hacker.

Keel recently told a legislative panel the perpetrator of the hack would be indicted and arrested “if we could ever get to this individual,” according to reporter Jeffrey Collins of The Associated Press.

According to Krebs, the South Carolina breach began on August 13, 2012 when a state information technology contractor helping install a new computer system at SCDOR “clicked a malicious link in an email.” By the time the incursion was belatedly discovered, the contractor was no longer employed by the state.

Palmetto State taxpayers shelled out tens of millions of dollars in the aftermath of the hack on new cybersecurity measures and identity theft protection for taxpayers.

The full extent of the damage done by the hack is unknown, but according to Krebs “Keel’s assertion that somehow the efforts of South Carolina officials following the breach may have lessened its impact on citizens seems unlikely.”



(Travis Bell Photography)

Will Folks is the founding editor of the news outlet you are currently reading. Prior to founding FITSNews, he served as press secretary to the governor of South Carolina and before that he was a bass guitarist and dive bar bouncer. He lives in the Midlands region of the state with his wife and eight children.



Got something you’d like to say in response to one of our articles? Or an issue you’d like to proactively address? We have an open microphone policy here at FITSNews! Submit your letter to the editor (or guest column) via email HERE. Got a tip for a story? CLICK HERE. Got a technical question or a glitch to report? CLICK HERE.


Get our newsletter by clicking here …


Related posts


News Flash: Jesus Is Not Your Boyfriend

Will Folks

Upstate Elementary School Sexual Assault Case Headed For Trial

Will Folks

Palmetto Past & Present: South Carolina’s ‘Buckeye Rebel’

Mark Powell

Leave a Comment