After a year, one would think state officials would be on top of events surrounding the huge security breach they were responsible for. Unfortunately, one would be wrong
State Department of Revenue officials were caught flat-footed this past week when Experian, the company providing credit monitoring services for taxpayers and family members whose information was stolen from department computers, started soliciting people to sign up for another year of credit monitoring -- at a price.
But state officials have pledged to offer at least another year of free monitoring. The legislature authorized spending $10 million to do that. State officials plan to announce a new contract Monday.
There's no need to pay for Experian's service even at the low price of 99 cents a month. Experian was awarded a $12 million, no-bid contract last year after the data breach was discovered.
Hackers stole the Social Security, bank account and credit card numbers of more than 6 million individuals and businesses contained in income tax filings in Department of Revenue computers. The department had failed to use basic security measures, including encrypting data and a multi-layered password system. The agency also had left its computer security officer's position vacant for a year before the breach; its last security officer told lawmakers he thought the agency hadn't made security a priority.
About 1.5 million people signed up for the free monitoring.
The Revenue Department said it was not aware that Experian planned to send out renewal solicitations until people started receiving emails last weekend. A spokeswoman said, "When the initial credit protection contract was signed, we did not anticipate the General Assembly providing another free year of credit protection."
But the department has known for several months now that money was in the budget for just that purpose.
On top of that, those who called the department with questions about the security breach were transferred to Experian's call center. The (Columbia) State newspaper reported that at least one Experian employee was telling those who called, "(The service is) not going to be free anymore. Because we were offering it at such a discount, we were told South Carolina is not going to do it at all."
Experian did not bid on the new contract, saying it didn't offer enough money for the services required. The company says it will cancel renewal contracts for those who want out and said the employee's comments did not reflect "approved information" sent to company agents.
Canceling renewals is the least the company can do. It also should point out the fine print in the company's 99-cents-a-month email solicitation, which states: "Limited time only. Terms subject to change without notice."
The State newspaper lists these important points for people to know:
Those whose information was stolen should do what they can to protect themselves from identity theft. That includes pushing the state do all it can to protect us, and it includes not assuming state officials are on top of this.