Approximately 3,600,000 Social Security Numbers and an additional 387,000 credit- and debit-card numbers have been made public as a result of a cyber attack on the South Carolina state Department of Revenue, it has been announced, with roughly 16,000 of the credit card numbers revealed to be unencrypted.

According to a statement released by the Department of Revenue, the hacks – at least four separate attempts have been identified to date – occurred in September following an earlier attempt the previous month, with the data stolen on the latter two of the break-ins. The Department of Revenue only became aware of the hacks the following month, according to its director, James Etter: “On October 10, the S.C. Division of Information Technology informed the S.C. Department of Revenue of a potential cyber attack involving the personal information of taxpayers,” he is quoted as saying in the official statement. “We worked with them throughout that day to determine what may have happened and what steps to take to address the situation. We also immediately began consultations with state and federal law enforcement agencies and briefed the governor’s office.”

Following the initial consultation with law enforcement agencies, the Department called in an outside security company, Mandiant, to consult on the investigation. In the days following, it was discovered that the system had been breached four times in September, and once in August; by October 20, the vulnerable pathway had been identified and the system secured – but by that time, it was too late.

An Associated Press report suggests that Tax Returns are also amongst the data that was breached during the hacks, but that has not been confirmed by the South Carolina authorities at this time.

“The number of records breached requires an unprecedented, large-scale response by the Department of Revenue, the State of South Carolina and all our citizens,” Governor Nikki Haley said, when commenting on the situation. “We are taking immediate steps to protect the taxpayers of South Carolina, including providing one year of credit monitoring and identity protection to those affected.”

For those in South Carolina who are concerned that their Social Security Number or credit- or debit-card details have been released as part of this hack, there’re both a website – protectmyid.com/scdor – and a phone number (1-866-578-5422) to call to find out if they have been affected by the break-in. Those who have been affected will be able to receive one year of credit monitoring and identify theft protection from Experian as a result. “From the first moment we learned of this, our top priority has been to protect the taxpayers and the citizens of South Carolina, and every action we’ve taken has been consistent with that priority,” DOR director Etter said. “We have an obligation to protect the personal information entrusted to us, and we are redoubling our efforts to meet that obligation.”