COLUMBIA, S.C. (AP) — The company doing credit monitoring for South Carolina residents affected by a data breach signed a $12 million contract to work with the state just two days after being called, a representative told state lawmakers Thursday.
Mark Kapczynski told a Senate panel probing the state's cyber security that Experian was called on Oct. 23 by an attorney whose firm was hired by the Department of Revenue after state officials learned that millions of taxpayers' data had been accessed. On Oct. 25, Revenue Director Jim Etter signed an initial agreement, which was subsequently amended and then signed again Nov. 9.
The U.S. Secret Service notified state officials of the breach Oct. 10. The electronically filed tax returns of 3.8 million people and 700,000 businesses were accessed by an international hacker in mid-September. Data stolen from the Revenue Department servers included unencrypted Social Security numbers — of adults as well as their 1.9 million dependents — and bank account numbers.
In more than $20 million in bills related to the breach and its immediate aftermath, South Carolina owes the largest single amount — $12 million — to Experian under a deal negotiated by Gov. Nikki Haley. The first half is due Saturday. The state's contract provides a year of credit monitoring for taxpayers who sign up by Jan. 31, as well as dedicated call center operators. About a million people have signed up so far.
State officials have said they went straight to Experian after the breach, in part because of the company's work with another South Carolina agency. Haley and revenue officials have said only Experian, one of the three credit bureau giants, had the expertise and capacity to quickly provide monitoring and call-center services for millions of taxpayers made vulnerable to identity theft by what is believed to be the largest cyber-attack on a state tax agency in the nation's history.
Another reason the state went with Experian, Haley said, is that the Ireland-based company already was under a $1 million contract with the state's Medicaid agency for similar services, due to the theft of patient data from that Cabinet agency earlier this year.
Etter told senators Oct. 30 that Revenue didn't consider any other companies. The agency's outside attorney quickly intervened, saying other firms were indeed contacted, just not in a formal bid process in the emergency situation. Revenue named those other companies, saying they too were quickly but thoroughly considered before Experian was chosen. But their CEOs have told The Associated Press they never heard a peep from the agency.