Another 387,000 credit and debit card numbers were also exposed in the September attack, the state Department of Revenue said in a statement Friday. However, out of that number only about 16,000 of the credit and debit cards were unencrypted, the department added. The SSNs, meanwhile, do not appear to have been encrypted.

Anyone who has filed a South Carolina tax since 1998 has been impacted by the breach and will be offered one year of identity protection service from Experian. The service includes a $1 million identity theft insurance policy. (The state department has set up a Web page with contact information for people to call.)

"The number of records breached requires an unprecedented, large-scale response by the Department of Revenue, the State of South Carolina and all our citizens," South Carolina Governor Nikki Haley said in the statement. "We are taking immediate steps to protect the taxpayers of South Carolina, including providing one year of credit monitoring and identity protection to those affected."

The department said the data theft appears to have occurred sometime in mid-September. An ongoing investigation of the breach by security firm Mandiant shows that the perpetrators first made an attempt to break into the system and steal the data in August and twice again in mid-September. The hackers appear to have accessed the data during the mid-September intrusions, the department said in its statement.

The Department of Revenue first learned of the intrusion only on Oct. 10 after being notified about it by the S.C. Division of Information Technology. Federal and state law enforcement authorities were immediately informed about the breach and Mandiant was brought in the next day to begin remediating the situation. It is not immediately clear what systems were breached, or how.