Experian Lands $12 million Contract after State Data Breach

Largest State Agency Breach in US History – Bad News for South Carolinians

Experian signed a $12 million dollar contract to work with the state of South Carolina just two days after they were called on their major data breach.  The Department of Revenue for the State of Carolina hired a law firm and began a probe into the data breach which affected millions of taxpayers.  We’re now just learning that less than two months ago, Revenue Director for the state, Jim Etter, signed a contract in October which was later amended on November 9, 2012.

It appears that the U.S. Secret Service notified state officials of the breach Oct. 10. The electronically filed tax returns of 3.8 million people and 700,000 businesses were accessed by an international hacker in mid-September. Data stolen from the Revenue Department servers included unencrypted Social Security numbers – of adults and their 1.9 million dependents – and bank account numbers.

In more than $20 million in bills related to the breach and its immediate aftermath, South Carolina owes the largest single amount – $12 million – to Experian under a deal negotiated by Gov. Nikki Haley. The first half was due this month.  According to Experian, the state’s contract provides a year of credit monitoring for taxpayers who sign up by Jan. 31, 2013, in addition to dedicated call center operators. So far, about one million residents of South Carolina have signed up so far.

This could be the largest cyber-attack at a state agency level in America’s history.  This is a very significant breach.  One could question why LifeLock, a US company, or TransUnion or Equifax was not taken under contract to help deal with the credit monitoring and call center requirements for these millions of tax-payer victims?  Governor Haley’s answer is that the Ireland-based company was already under a $1 million contract with the state’s Medicaid agency for similar services, because of the theft of patient data from that Cabinet agency earlier this year.  There was no formal bidding process and the government called this an ‘emergency situation’ to Experian’s benefit.

Like finding a four leaf clover after a tornado tears down your neighborhood, Experian has the ‘luck of the Irish’, and admitted that the retail value of the products Experian has contracted to provide to South Carolinians who enroll, up to 5.7 million, is about $150 million so far. More than 932,000 people have signed up

so far for the free year of monitoring, which is typically about $160. If enrollees opt for a second year, Experian has said they would be eligible for a reduced rate of about $80.  If all current enrollees signed up for the additional year, that would mean nearly $75 million for Experian.

As we’ve said before, the cost of pre-emptive, pro-active data protection is far less than that of dealing with damages and reparations, after a breach.  It turns out that the Budget and Control Board approved a $20 million loan request for the Revenue Department to pay for the state’s response. In addition to Experian’s bill, other bills due include $200,000 to a public relations firm, $290,000 to a legal firm, and $750,000 to Mandiant, whose computer forensic experts determined what happened and recommended how to better secure the agency’s data.

The revenue agency also expects to spend $5.6 million on two Mandiant recommendations – the bulk of it to encrypt stored data, plus about $25,000 for token-based technology that produce temporary passwords for employees logging into the system remotely. Mandiant officials have said either method could have prevented the hacking.  Notices to affected taxpayers will have all gone out in time for Christmas and the New Year, at a cost of $1.3 million to the state.

Lessons to be learned – it doesn’t matter who you are or how big and powerful – if you house personally identifyable information (PII), you are a target.  Who wins out on this one?  We’ll give Experian and the hackers an A for effort.  We can only hope the Secret Service tracks them down and brings them to justice but in the meantime, it’s a very expensive lesson to the Information Technology staff of South Carolina and to their citizens, the victims.

(Sources: CDM, Experian and the state of South Carolina)

FAIR USE NOTICE: Under the "fair use" act, another author may make limited use of the original author's work without asking permission. Pursuant to 17 U.S. Code § 107, certain uses of copyrighted material "for purposes such as criticism, comment, news reporting, teaching (including multiple copies for classroom use), scholarship, or research, is not an infringement of copyright." As a matter of policy, fair use is based on the belief that the public is entitled to freely use portions of copyrighted materials for purposes of commentary and criticism. The fair use privilege is perhaps the most significant limitation on a copyright owner's exclusive rights. Cyber Defense Media Group is a news reporting company, reporting cyber news, events, information and much more at no charge at our website Cyber Defense Magazine. All images and reporting are done exclusively under the Fair Use of the US copyright act.

Global InfoSec Awards 2022

We are in our 10th year, and these awards are incredibly well received – helping build buzz, customer awareness, sales and marketing growth opportunities, investment opportunities and so much more.


10th Anniversary Exclusive Top 100 CISO Conference & Innovators Showcase