$12 million hacking contract signed 2 days after initial call, Experian rep says

  • Follow Government

COLUMBIA — The company doing credit monitoring for South Carolina residents affected by a data breach signed a $12 million contract to work with the state just two days after being called, a representative told state lawmakers Thursday.

Mark Kapczynski told a Senate panel probing the state’s cyber security that Experian was called on Oct. 23 by an attorney whose firm was hired by the Department of Revenue after state officials learned that millions of taxpayers’ data had been accessed. On Oct. 25, Revenue Director Jim Etter signed an initial agreement, which was subsequently amended and then signed again Nov. 9.

The U.S. Secret Service notified state officials of the breach Oct. 10. The electronically filed tax returns of 3.8 million people and 700,000 businesses were accessed by an international hacker in mid-September. Data stolen from the Revenue Department servers included unencrypted Social Security numbers – of adults and their 1.9 million dependents – and bank account numbers.

In more than $20 million in bills related to the breach and its immediate aftermath, South Carolina owes the largest single amount – $12 million – to Experian under a deal negotiated by Gov. Nikki Haley. The first half is due Saturday. The state’s contract provides a year of credit monitoring for taxpayers who sign up by Jan. 31, in addition to dedicated call center operators. About a million people have signed up so far.

State officials have said they went straight to Experian after the breach, in part because of the company’s work with another South Carolina agency. Haley and revenue officials have said only Experian, one of the three credit bureau giants, had the expertise and capacity to quickly provide monitoring and call-center services for millions of taxpayers made vulnerable to identity theft by what is believed to be the largest cyber-attack on a state tax agency in the nation’s history.

Another reason the state went with Experian, Haley said, is that the Ireland-based company already was under a $1 million contract with the state’s Medicaid agency for similar services, because of the theft of patient data from that Cabinet agency earlier this year.

Etter told senators Oct. 30 that Revenue didn’t consider any other companies. The agency’s outside attorney quickly intervened, saying other firms were indeed contacted, just not in a formal bid process in the emergency situation. Revenue named those other companies, saying they too were quickly but thoroughly considered before Experian was chosen. But their CEOs have told The Associated Press they never heard a peep from the agency.

On Thursday, asked by Sen. Kevin Bryant, R-Anderson, about the negotiations, Kapczynski said Experian officials didn’t know whether any other companies were being considered for the contract.

Kapczynski also said that the retail value of the products Experian has contracted to provide to South Carolinians who enroll, up to 5.7 million, is about $150 million so far. More than 932,000 people have signed up so far for the free year of monitoring, which is typically about $160. If enrollees opt for a second year, Kapczynski said they would be eligible for a reduced rate of about $80.

If all current enrollees signed up for the additional year, that would mean nearly $75 million for Experian. But Kapczynski said that, on average, only about 5 percent would likely do so – meaning a less than $4 million profit for the company.

The Budget and Control Board on Wednesday approved a $20 million loan request for the Revenue Department to pay for the state’s response. In addition to Experian’s bill, other bills due include $200,000 to a public relations firm, $290,000 to a legal firm, and $750,000 to Mandiant, whose computer forensic experts determined what happened and recommended how to better secure the agency’s data.

The revenue agency also expects to spend $5.6 million on two Mandiant recommendations – the bulk of it to encrypt stored data, plus about $25,000 for gadgets that produce temporary passwords for employees logging into the system remotely. Mandiant officials have said either method could have prevented the hacking.

Notices to affected taxpayers are starting to go out this week. All 3.8 million should be notified by year’s end, and Haley says the notices will cost $1.3 million.

Comments (0) Add comment
ADVISORY: Users are solely responsible for opinions they post here and for following agreed-upon rules of civility. Posts and comments do not reflect the views of this site. Posts and comments are automatically checked for inappropriate language, but readers might find some comments offensive or inaccurate. If you believe a comment violates our rules, click the "Flag as offensive" link below the comment.
soapy_725 12/14/12 - 09:09 am
SC government is going to buy

SC taxpayers identity fraud protection with taxpayer money after they and the contractor skim some crumbs of the top. SC taxpayers could have purchased identity fraud protection personally and saved some money. Kick all of the useless bums out. They have not value added benefits. The caused the problem, but you have to pay for their ineffective management. Government does nothing but spend tax revenue dollars including their pay checks. They do not protect you. They cannot protect you again a catastrophic event.

Back to Top
Top headlines
Many choices will be on ballots
In Richmond County, voters have as many as six nonpartisan choices to make, plus up to four contested Democratic primary contests or six Republican races, depending on the choice of ballot and a ...
Search Augusta jobs