COLUMBIA — South Carolina officials responding to the massive breach of taxpayers’ personal information said they went straight to Experian for help, resulting in a $12 million no-bid contract questioned by some legislators.
“We didn’t speak with anybody else,” Revenue Director Jim Etter told senators at an Oct. 30 hearing – clearly not what they wanted to hear. The agency’s outside attorney quickly intervened, saying other firms were indeed contacted, just not in a formal bid process in the emergency situation.
Revenue named those other companies on Thursday, saying they too were quickly but thoroughly considered before Experian was chosen. But their CEOs told The Associated Press on Friday they never heard a peep.
“They definitely didn’t contact us,” said Steven Bearak, CEO of Massachusetts-based Identity Force.
“I have not heard from anyone in the state of South Carolina regarding the breach,” said Brian Logan, founder and CEO of Atlanta-based Citreas. “We’d love to assist with it.”
Gov. Nikki Haley and Revenue officials have said only Experian, one of the three credit bureau giants, had the expertise and capacity to quickly provide monitoring and call-center services for millions of taxpayers made vulnerable to identity theft by what is believed to be the largest cyber-attack on a state tax agency in the nation’s history.
Another reason the state went with Experian, Haley said, is that the Ireland-based company already was under a $1 million contract with the state’s Medicaid agency for similar services, due to the theft of patient data from that Cabinet agency earlier this year.
“They came highly recommended,” Haley said Tuesday. “They were the least expensive and came back with a great quality of service.”
Her office said Experian was vetted by Health and Human Services. But that too was an emergency situation without a bid process, in which only Xerox and Experian were considered.
Bearak and Logan dispute the notion that only Experian could take the case, saying their pricing would have been competitive – Logan says cheaper – with services beyond Experian’s in place within 24 hours. For instance, both say their companies scan records that are unlikely to show up on credit reports, like utility bills, payday loans, and even social media. They also said they wouldn’t have imposed a sign-up deadline for consumers and provided more complete resolution services for identity theft victims.
Answers on when officials contacted Experian, and whether other companies were given any consideration, have evolved depending on the day and who’s asked.
Etter told senators discussions with Experian began Oct. 25.
That’s 15 days after the Secret Service notified the state of the breach and a day before Etter and Haley announced that a hacker accessed millions of tax returns filed since 1998. Officials say law enforcement dictated when they could go public. The number of estimated taxpayers compromised has since climbed to 3.8 million individual filers, plus 657,000 businesses.
Haley has never disputed that officials looked only at Experian. On Tuesday, she told reporters “Experian was contacted the second we knew of the breach. Experian was first.” That would’ve been Oct. 10.
On Thursday, Revenue spokeswoman Samantha Cheek said the agency’s outside attorneys first contacted Experian Oct. 23.
Those attorneys, hired specifically for the breach, provided pricing for Experian, Citreas and Identity Force that same day, Cheek said.
“These three vendors were presented for their favorable volume pricing and the potential value of their services in this circumstance,” Cheek said. “After consideration, which was required to be very quick but was nonetheless thorough, Experian appeared to be the vendor best suited to the nature and size of the breach.”
Asked for documentation, Cheek said the legal firm had that. On Friday, she said she was waiting for the firm to respond to the request.
Haley has been urging residents to sign up for Experian’s ProtectMyID service, which provides a year of monitoring across all three credit bureaus and notifies customers of account openings and delinquencies, and address changes. Residents must sign up by Jan. 31. As of Friday, nearly 814,000 people had done so.
Haley negotiated a $12 million flat fee on the cost of the one-year monitoring service and Experian-operated call centers – half of that due Dec. 15, the other half by Jan. 31.
The initial contract, signed Oct. 26, called for the state to spend $15.35 per person who signed up for ProtectMyID, plus $720,000 for U.S.-based call center agents dedicated to taking South Carolinians’ calls, according to contracts provided to The Associated Press and other media Wednesday. As of Friday’s count, the cost under that agreement would already be above $13 million.
“A lot of people are talking about the cost of Experian,” Haley said. “That was me negotiating to cap it at $12 million, making sure that no matter how many people, we weren’t going to say we don’t want people to sign up.”