Legislators question millions spent in DOR breach - wistv.com - Columbia, South Carolina |

Legislators question millions spent in DOR breach

Posted: Updated:

The governor's deputy chief of staff was on the hot seat Thursday, while he stood his ground against S.C. House representatives who questioned the governor's actions in the Department of Revenue breach.

Ted Pitts was the last to speak during a committee meeting to investigate the SCDOR breach in October. Pitts started with a timeline for the committee, explaining in detail when the governor's office found out about the breach; why they took certain steps before notifying the public; and how they landed the current legal and business contracts.

After Oct. 10 when the U.S. Secret Service notified the governor's office about the breach, they contracted Mandiant to monitor DOR's system starting Oct. 13. The "backdoor" to the DOR's database that the hacker used was closed Oct. 20 after Secret Service and Mandiant performed "surveillance" in an effort to not "tip the guy off," Pitts explained.

From there, while Pitts said Secret Service told Gov. Nikki Haley to withhold information from the public, he said they instead had to hire a legal firm to make sure the state released all appropriate information to the public. Pitts said this meant following not only state laws, but the laws of the states were former South Carolina residents now reside.

From internal researching, Pitts said the governor's office discovered Nelson Mullins' firm has an expert in cyber forensics in Atlanta. Since the legal firm has a local office, Pitts said DOR hired this firm Oct. 21. Following this, Nelson Mullins hired Chernoff Newman to perform all of the public relations actions needed to maintain public knowledge following the DOR breach.

The public was notified Oct. 26 about the breach that put 3.6 million people's information at risk.

S.C. Rep. Bakari Sellers said Pitts' information Thursday was different than what representatives were told last week, which was that DOR contracted Chernoff Newman. Pitts denied Sellers' statement.

"To adhere to laws, Nelson Mullins confirmed that we are going to need a PR (public relations) firm," Pitts said. "… We will have to reimburse Nelson Mullins, but it is a Nelson Mullins contract."

However, Sellers said the committee's concern was more on how the process was completed and not necessarily the firms that were chosen for the DOR legal and public relation issues.

"We understand Nelson Mullins contracted with Chernoff Newman," Sellers said. "Nobody has a problem with Nelson Mullins or a problem with Chernoff Newman. The problem is how it was done. How do we know the services were done at the cost to save taxpayers' dollars? … What process did Nelson Mullins go through in their retention of Chernoff Newman, and are we sure South Carolinians, since we are paying the price tag, got the best possible price in the situation?"

S.C. Rep. Harry Ott pointed to an estimated cost list where Nelson Mullins was listed to receive $300,000 and Chernoff Newman will be paid $200,000.

"We don't know who answers to whom. We are just trying to follow the money," Sellers said.

Pitts said Nelson Mullins worked with the DOR to choose Chernoff Newman.

"Nelson Mullins engaged (Chernoff Newman) at the request and coordination of DOR," Pitts said. "They chose them. We believe we got a fair price. The governor didn't believe (her office was) in the position to purchase media and place media where it needed to be (to reach the public)."

Ott did not seem satisfied with Pitts' answer and said it will likely change the next time they meet.

Pitts said the governor's office was simply trying to be transparent and wanted to provide legislators with all the information on the estimated cost to deal with the DOR breach.  

In an effort to continue following the money, Sellers then asked Pitts whether the governor's office got quotes for how much TransUnion and Equifax would charge to provide the free credit monitoring to the state.

"We did internally," Pitts said. "... There were a lot of conversations about this. There was not a call to the others."

"So you were shooting in the dark," Sellers said.

"We were not shooing in the dark," Pitts said. "We were going off historical knowledge. … We believe Experian had the most mature product, best product to fit this need."

Pitts said, to date, a little more than 1 million people have activated Experian's free credit monitoring service, along with 20,638 family accounts. The state has a $12 million cap for Experian's service. The deadline to register for the credit monitoring was extended to March 31.

Representatives pointed out that after the free year of credit monitoring, residents would have to pay $80 per person to continue the service, unless the legislators included $10 million more in its next year budget for the Experian service.

As of now, Pitts said the state has awarded a bid to SourceLink to mail letters to those affected by the breach. The contract was awarded Nov. 30 and the first letters went out Dec. 10 to out-of-state residents. The contract states 100,000 letters should be mailed a day.

Copyright 2013 WIS. All rights reserved.

Powered by WorldNow