S.C. revenue department breach

SC hacking victims told not to buy credit monitoring, yet

ashain@thestate.comSeptember 17, 2013 

  • More information

    What S.C. hacking victims need to know

    •  S.C. hacking victims who enrolled with Experian for state-paid credit monitoring after the breach have a year before their free coverage ends. Taxpayers were able to enroll from October through March.

    •  The state could offer free credit monitoring for at least five years.

    •  Those who enrolled with Experian will have to sign up with the new state-funded credit-monitoring service when it is announced.

    •  Taxpayers can buy their own credit-report protection and receive a state tax deduction ranging from $300 to $1,000.

— As the first year of free state-paid credit monitoring is ending, confusion for victims of the S.C. Department of Revenue hacking is starting.

The state will continue to offer free monitoring for another year in a new agreement worth up to $10 million. That contract will be awarded Monday.

But Experian – given a one-year, $12 million monitoring contract after the breach was discovered last October – started asking S.C. consumers Friday to renew coverage with that company at a cost of $11.88 a year.

The S.C. Department of Revenue says it was caught unaware by Experian’s move and did not send out a public notice until 5 p.m. Tuesday. That opened the possibility of hacking victims paying a private company for monitoring instead of using a no-cost-to-the-consumer service paid for with tax dollars.

“This will be confusing to our people around the state,” said Senate Finance chairman Hugh Leatherman, R-Florence. “I had someone come up to me say, ‘For 99-cents a month, I’d be crazy not to sign up.’ I said the state is going to provide for it.”

The deal also could be worth millions to Experian.

“We have paid them to market to us,” state Sen. Kevin Bryant, R-Anderson, who chaired a special committee that examined the nation’s worst breach at a state agency.

Hackers stole the personal information belonging to 6.4 million S.C. taxpayers and businesses last year from the Revenue Department.

The Revenue Department advised in a notice posted on its website that hacking victims should “be patient in making a decision about the continued credit monitoring services offered by any vendor, including Experian, until they have an opportunity to evaluate the services the state will cover and soon make available.”

But that advice came days after people started receiving renewal notices from Experian.

Calls to the S.C. Department of Revenue about identity-security questions also have been transferred by the agency to the Experian’s call center. An Experian agent said incorrectly Tuesday that the state no longer would offer free monitoring.

Instead, the Experian agent encouraged hacking victims to re-sign with the company.

“It’s not going to be free anymore,” an Experian representative said Tuesday in response to call from a taxpayer. “Because we were offering it at such a discount, we were told South Carolina is not going to do it at all.”

Experian’s $11.88 a person annual offer is a fraction of its usual $160 retail price. But lawmakers said they expect Experian’s price to rise in future years.

Experian – which received an emergency, no-bid contract with the state last year – said the comments made by its call-center agent Tuesday “does not reflect the approved information conveyed to all of our representatives. ... We have moved quickly to correct this.”

Experian said it declined to bid for the new contract that takes effect Oct. 24 because the state was not offering enough money for the requested work.

Bids were due Sept. 9. Experian started sending paid renewal notices to the 1.5 million people who enrolled for free monitoring four days later.

Under the current contract, hacking victims are covered for a year after they first enrolled with Experian. Enrollment ran from October to March, meaning a hacking victim’s no-cost coverage could end anytime between October and March, depending on when they initially signed up.

House Ways and Means chairman Brian White, R-Anderson, said he did not expect Experian to pitch hacking victims for paid services. However, Experian’s contract with the state did not limit how the company could use the information it collected from hacking victims who enrolled.

“I gave them the benefit of the doubt, but they went ahead and did that,” White said.

The Revenue Department said it was not aware that Experian was sending out renewal requests until hacking victims started receiving emails over the weekend.

Asked why the agency was not prepared, a Revenue Department spokeswoman said, “When the initial credit protection contract was signed, we did not anticipate the General Assembly providing another free year of credit protection.”

The State Budget and Control Board, headed by Gov. Nikki Haley, agreed in May to offer five years of monitoring.

The Revenue Department said it transferred taxpayers to Experian’s call center as a convenience, but added, “We will soon update the option to reflect the new credit protection plan.”

The State is pleased to provide this opportunity to share information, experiences and observations about what's in the news. Some of the comments may be reprinted elsewhere in the site or in the newspaper. We encourage lively, open debate on the issues of the day, and ask that you refrain from profanity, hate speech, personal comments and remarks that are off point. Thank you for taking the time to offer your thoughts.

Commenting FAQs | Terms of Service