Mark Kapczynski told a Senate panel probing the state’s cyber security that Experian was called on Oct. 23 by an attorney whose firm was hired by the Department of Revenue after state officials learned that millions of taxpayers’ data had been accessed. On Oct. 25, Revenue Director Jim Etter signed an initial agreement, which was subsequently amended and then signed again Nov. 9.
The U.S. Secret Service notified state officials of the breach Oct. 10. The electronically filed tax returns of 3.8 million people and 700,000 businesses were accessed by an international hacker in mid-September. Data stolen from the Revenue Department servers included unencrypted Social Security numbers – of adults and their 1.9 million dependents – and bank account numbers.
In more than $20 million in bills related to the breach and its immediate aftermath, South Carolina owes the largest single amount – $12 million – to Experian under a deal negotiated by Gov. Nikki Haley. The first half is due Saturday. The state’s contract provides a year of credit monitoring for taxpayers who sign up by Jan. 31, in addition to dedicated call center operators. About a million people have signed up so far.
State officials have said they went straight to Experian after the breach, in part because of the company’s work with another South Carolina agency. Haley and revenue officials have said only Experian, one of the three credit bureau giants, had the expertise and capacity to quickly provide monitoring and call-center services for millions of taxpayers made vulnerable to identity theft by what is believed to be the largest cyber-attack on a state tax agency in the nation’s history.
Another reason the state went with Experian, Haley said, is that the Ireland-based company already was under a $1 million contract with the state’s Medicaid agency for similar services, because of the theft of patient data from that Cabinet agency earlier this year.
Etter told senators Oct. 30 that Revenue didn’t consider any other companies. The agency’s outside attorney quickly intervened, saying other firms were indeed contacted, just not in a formal bid process in the emergency situation. Revenue named those other companies, saying they too were quickly but thoroughly considered before Experian was chosen. But their CEOs have told The Associated Press they never heard a peep from the agency.
On Thursday, asked by Sen. Kevin Bryant, R-Anderson, about the negotiations, Kapczynski said Experian officials didn’t know whether any other companies were being considered for the contract.
Kapczynski also said that the retail value of the products Experian has contracted to provide to South Carolinians who enroll, up to 5.7 million, is about $150 million so far. More than 932,000 people have signed up so far for the free year of monitoring, which is typically about $160. If enrollees opt for a second year, Kapczynski said they would be eligible for a reduced rate of about $80.
If all current enrollees signed up for the additional year, that would mean nearly $75 million for Experian. But Kapczynski said that, on average, only about 5 percent would likely do so – meaning a less than $4 million profit for the company.
The Budget and Control Board on Wednesday approved a $20 million loan request for the Revenue Department to pay for the state’s response. In addition to Experian’s bill, other bills due include $200,000 to a public relations firm, $290,000 to a legal firm, and $750,000 to Mandiant, whose computer forensic experts determined what happened and recommended how to better secure the agency’s data.
The revenue agency also expects to spend $5.6 million on two Mandiant recommendations – the bulk of it to encrypt stored data, plus about $25,000 for gadgets that produce temporary passwords for employees logging into the system remotely. Mandiant officials have said either method could have prevented the hacking.
Notices to affected taxpayers are starting to go out this week. All 3.8 million should be notified by year’s end, and Haley says the notices will cost $1.3 million.