South Carolina looked at just 1 company after security breach

  • Follow Government

 COLUMBIA — South Caro­lina officials responding to a breach of taxpayers’ personal information say they went straight to Experian for help, resulting in a $12 million no-bid contract questioned by legislators.

“We didn’t speak with anybody else,” Revenue Director Jim Etter told senators at an Oct. 30 hearing – clearly not what they wanted to hear. The agency’s outside attorney quickly intervened, saying other firms were indeed contacted, just not in a formal bid process in the emergency situation.

Revenue named those other companies on Thursday, saying they too were quickly but thoroughly considered before Experian was chosen. But their CEOs told The Associated Press on Friday they never heard a peep.

“They definitely didn’t contact us,” said Steven Bearak, the CEO of Massachusetts-based Identity Force.

“I have not heard from anyone in the state of South Carolina regarding the breach,” said Brian Logan, the founder and CEO of Atlanta-based Citreas. “We’d love to assist with it.”

Gov. Nikki Haley and Revenue officials have said only Experian, one of the three credit bureau giants, had the expertise and capacity to quickly provide monitoring and call-center services for millions of taxpayers made vulnerable to identity theft by what is believed to be the largest cyber-attack on a state tax agency in the nation’s history.

Another reason the state went with Experian, Haley said, is that the Ireland-based company already was under a $1 million contract with the state’s Medicaid agency for similar services, due to the theft of patient data from that agency earlier this year.

“They came highly recommended,” Haley said Tuesday. “They were the least expensive and came back with a great quality of service.”

Her office says Experian was vetted by Health and Human Services. But that too was an emergency situation without a bid process, in which only Xerox and Experian were considered.

Bearak and Logan dispute the notion that only Experian could take the case, saying their pricing would have been competitive – Logan says cheaper – with services beyond Experian’s in place within 24 hours. For instance, both say their companies scan records that are unlikely to show up on credit reports, like utility bills, payday loans, and even social media. They also said they wouldn’t have imposed a sign-up deadline for consumers and provided more complete resolution services for identity theft victims.

Answers on when officials contacted Experian, and whether other companies were given any consideration, have evolved depending on the day and who’s asked.

Etter told senators discussions with Experian began Oct. 25.

That’s 15 days after the Secret Service notified the state of the breach and a day before Etter and Haley announced that a hacker accessed millions of tax. Officials say law enforcement dictated when they could go public. The number of estimated taxpayers compromised has since climbed to 3.8 million, plus 657,000 businesses.

Haley has never disputed that officials looked only at Experian. On Tuesday, she told reporters “Experian was contacted the second we knew of the breach. Experian was first.” That would’ve been Oct. 10.

On Thursday, Revenue spokeswoman Samantha Cheek said the agency’s outside attorneys first contacted Experian Oct. 23.

Those attorneys, hired specifically for the breach, provided pricing for Experian, Citreas and Identity Force that same day, Cheek said.

“These three vendors were presented for their favorable volume pricing and the potential value of their services in this circumstance,” Cheek said. “After consideration, which was required to be very quick but was nonetheless thorough, Experian appeared to be the vendor best suited to the nature and size of the breach.”

Asked for documentation, Cheek said the legal firm had that. On Friday, she said she was waiting for the firm to respond to the request.

Haley has been urging residents to sign up for Experian’s ProtectMyID service, which provides a year of monitoring across all three credit bureaus and notifies customers of account openings and delinquencies, and address changes. Residents must sign up by Jan. 31. As of Friday, nearly 814,000 people had done so.

Haley negotiated a $12 million flat fee on the cost of the one-year monitoring service and Experian-operated call centers – half of that due Dec. 15, the other half by Jan. 31.

The initial contract, signed Oct. 26, called for the state to spend $15.35 per person who signed up for ProtectMyID, plus $720,000 for U.S.-based call center agents dedicated to taking South Carolinians’ calls, according to contracts provided to The Associated Press and other media Wednesday. As of Friday’s count, the cost under that agreement would already be above $13 million.

“A lot of people are talking about the cost of Experian,” Haley said. “That was me negotiating to cap it at $12 million, making sure that no matter how many people, we weren’t going to say we don’t want people to sign up.”

Comments (2) Add comment
ADVISORY: Users are solely responsible for opinions they post here and for following agreed-upon rules of civility. Posts and comments do not reflect the views of this site. Posts and comments are automatically checked for inappropriate language, but readers might find some comments offensive or inaccurate. If you believe a comment violates our rules, click the "Flag as offensive" link below the comment.
OpenCurtain 11/18/12 - 08:59 am
Still supportive of the handling so far

given the limited AP info from above.

All of the Big 3 credit companies have Southeastern (Atlanta) offices, even though they are HQ'd in Ireland. Credit has been an International Business for decades, not just a USA thing.)

For any large state agency to get credit protection in place in under 30 days is a feat and shows the goal was speed and protection, at a fair price.

Since the Big 3 are hooked into each other and share the data at the source. The protection is at the source vs the a delay inherent of any 3rd party protection company. Simply put, a deal with 1 of the Big 3, is a deal with all 3.

So far I see only some bureaucratic corners have been cut to provide speed and protection to those at risk.

I would hope at this point that SC can justify why Experian was picked over Equifax or Transunion. Because SC seems to have some ex-political lawsuit prone lawyers nipping at their heels.

OpenCurtain 11/18/12 - 09:02 am
Added Note

By capping the total fee amount at $12 million, but negotiating that all SC 3.9 million compromised records would still be covered. SC bureaucrat's has saved their Taxpayers.

3,900,000 compromised accounts
@ $15.35 general fee
$59,865,000 would have been total cost
-$12,000,000 Cap fee
$47,865,000 saved

BTW: @ 813,000 signed up already the Capped fee has saved SC taxpayers almost $12M.

While it never should have happened. It all happened because of one (1) computer user allowing illegal access. So far SC seems on track to be handling this problem quickly and cost effectively.

Back to Top
Search Augusta jobs