The company getting $12 million from the state of South Carolina to provide a year of credit-report monitoring free to victims of a massive data breach wants to offer another year of coverage at a small discount.
Experian has given Gov. Nikki Haley’s office a proposal to offer a second year of credit-report monitoring for $10 million, Mark Kapczynski, the company’s corporate development vice president, told a special state House committee investigating the hacking on Thursday.
The state is weighing whether to give Experian a contract for a second year of fraud monitoring for up to 5.7 million consumers and their children whose tax information was stolen from the S.C. Department of Revenue in September.
Credit-report monitoring is a cornerstone of $20 million in solutions offered thus far by Haley and the Revenue Department in response to what is thought to be the largest-ever hacking of a state agency nationwide.
One other key protection – encrypting data at the Revenue Department – is not finished, legislators were told Thursday. Two months after the breach, the Revenue Department still is negotiating a $4 million contract to encrypt data with a computer firm.
Meanwhile, state consumer advocates said Thursday that they have not received reports about scammers trying to take advantage of the data breach. But scams are expected to start soon, when taxpayers get official notification letters their information was stolen.
Crooks could pretend to be with banks or state agencies requesting personal information to offer special protection from the hacking, Carri Grube Lybarker, administrator of the S.C. Department of Consumer Affairs, told a Senate committee investigating the breach.
“Scam artists follow headlines,” she said.
The Revenue Department hacking incident dwarfs the 1 million South Carolinians who have received warnings about 83 data breaches nationwide since mid-2009, Lybarker said.
The extra year of credit-report monitoring likely will be among Haley’s priorities for the state’s budget next year as she seeks long-term protection for taxpayers, her office said.
“This is certainly one of the options we’re going to consider,” her spokesman Rob Godfrey said.
But some lawmakers think Experian ought to offer the second year of credit monitoring at no cost because the company could make money from people renewing the service year after year.
Experian’s credit-monitoring service costs $160 a year for an individual. The company expects 5 percent of those enrolled to renew the service. Based on 932,000 S.C. taxpayers registered through this week, Experian would make $7.4 million a year.
The company won the $12 million contract from the state without bidding as an emergency procurement, which irks some legislators who think the state could have found a better deal.
But House Majority Leader Bruce Bannister, R-Greenville, chairman of the House cyberattack committee, said South Carolina needed a solution to help consumers in place when the breach was announced. Still, he thinks the state has a case to seek a free second year.
“That’s a good place to start with the negotiation: ‘We made a deal with you, but really we should get two years instead of one,’ ” Bannister said. “ ‘Let everybody enrolled stay enrolled and encourage everybody who hasn’t to enroll, which will be beneficial to you.’ ”
Experian officials did not have a comment on whether the company would be willing to give the state a second year of coverage at no cost.
The fraud-monitoring service includes instant access to a credit report, alerts about changes on a consumer’s credit report, $1 million in identity-theft insurance – $2 million for the family plan – and lifetime help in resolving credit disputes.
But people will not get alerts until after a crook has used their personal financial information to, for instance, get a credit card or receive medical services. Experian’s service also does not help with abuse of existing credit cards.
In the wake of the data breach, the state also is buying a program that would shut off computers infected with viruses or uploading an unusually large amount of data, and review state cybersecurity plans to better protect sensitive information.
Hackers did not need to crack any codes once they stole the state taxpayer data, including Social Security numbers, because the information was not encrypted.
The governor’s office said soon after the hacking was revealed to the public in October that the Revenue Department was encrypting data and would finish by late January.
The agency started to encrypt some data itself and is negotiating a $4 million contract with Boston area-based EMC to handle the remainder, said Harry Cooper, the Revenue Department’s executive deputy director. No timetable was given for completing the contract.
The Revenue Department is working on a dual-password system, costing $25,000, that a computer security expert hired by the state said would have thwarted the hackers.
Cooper told the special House committee that he did not know if the dual-password system would have prevented the theft.
“These people are persistent,” he said. “What else we could have done, I don’t know.”
Revenue Department director Jim Etter is resigning at the end of the month after agreeing with Haley that the agency needed a new set of eyes after the hacking.