Largest State Agency Breach in US History – Bad News for South Carolinians

Experian signed a $12 million dollar contract to work with the state of South Carolina just two days after they were called on their major data breach.  The Department of Revenue for the State of Carolina hired a law firm and began a probe into the data breach which affected millions of taxpayers.  We’re now just learning that less than two months ago, Revenue Director for the state, Jim Etter, signed a contract in October which was later amended on November 9, 2012.

It appears that the U.S. Secret Service notified state officials of the breach Oct. 10. The electronically filed tax returns of 3.8 million people and 700,000 businesses were accessed by an international hacker in mid-September. Data stolen from the Revenue Department servers included unencrypted Social Security numbers – of adults and their 1.9 million dependents – and bank account numbers.

In more than $20 million in bills related to the breach and its immediate aftermath, South Carolina owes the largest single amount – $12 million – to Experian under a deal negotiated by Gov. Nikki Haley. The first half was due this month.  According to Experian, the state’s contract provides a year of credit monitoring for taxpayers who sign up by Jan. 31, 2013, in addition to dedicated call center operators. So far, about one million residents of South Carolina have signed up so far.

This could be the largest cyber-attack at a state agency level in America’s history.  This is a very significant breach.  One could question why LifeLock, a US company, or TransUnion or Equifax was not taken under contract to help deal with the credit monitoring and call center requirements for these millions of tax-payer victims?  Governor Haley’s answer is that the Ireland-based company was already under a $1 million contract with the state’s Medicaid agency for similar services, because of the theft of patient data from that Cabinet agency earlier this year.  There was no formal bidding process and the government called this an ‘emergency situation’ to Experian’s benefit.

Like finding a four leaf clover after a tornado tears down your neighborhood, Experian has the ‘luck of the Irish’, and admitted that the retail value of the products Experian has contracted to provide to South Carolinians who enroll, up to 5.7 million, is about $150 million so far. More than 932,000 people have signed up

so far for the free year of monitoring, which is typically about $160. If enrollees opt for a second year, Experian has said they would be eligible for a reduced rate of about $80.  If all current enrollees signed up for the additional year, that would mean nearly $75 million for Experian.

As we’ve said before, the cost of pre-emptive, pro-active data protection is far less than that of dealing with damages and reparations, after a breach.  It turns out that the Budget and Control Board approved a $20 million loan request for the Revenue Department to pay for the state’s response. In addition to Experian’s bill, other bills due include $200,000 to a public relations firm, $290,000 to a legal firm, and $750,000 to Mandiant, whose computer forensic experts determined what happened and recommended how to better secure the agency’s data.

The revenue agency also expects to spend $5.6 million on two Mandiant recommendations – the bulk of it to encrypt stored data, plus about $25,000 for token-based technology that produce temporary passwords for employees logging into the system remotely. Mandiant officials have said either method could have prevented the hacking.  Notices to affected taxpayers will have all gone out in time for Christmas and the New Year, at a cost of $1.3 million to the state.

Lessons to be learned – it doesn’t matter who you are or how big and powerful – if you house personally identifyable information (PII), you are a target.  Who wins out on this one?  We’ll give Experian and the hackers an A for effort.  We can only hope the Secret Service tracks them down and brings them to justice but in the meantime, it’s a very expensive lesson to the Information Technology staff of South Carolina and to their citizens, the victims.

(Sources: CDM, Experian and the state of South Carolina)