COLUMBIA, S.C. (AP) — Despite days of coordination on how to tell taxpayers their personal information had been hacked, South Carolina officials have given confusing and sometimes contradictory information about the extent of the problem and how to enroll for help.
Emails released by the governor's office in response to open-records requests filed by The Associated Press and other media outlets show there was confusion about how many people and businesses were affected, what was exposed and how to operate a hotline for taxpayers.
The emails lay out the coordination among the governor's office, state revenue officials, outside attorneys, a public relations firm hired to craft the message and the credit bureau Experian.
The U.S. Secret Service first told state officials about the data breach on Oct. 10, but state officials said they were warned not to the tell the public immediately because it could jeopardize the investigation.
The public first learned of the breach on Oct. 26, when Gov. Nikki Haley held a news conference to say 3.6 million Social Security numbers and 387,000 credit and debit card numbers — 16,000 of them unencrypted — were accessed from tax returns filed since 1998.
She urged taxpayers to call a toll-free number to learn if they were exposed. If so, they would receive activation codes needed to sign up for a year of credit monitoring paid for by the state. Experian, which received a no-bid contract, has agreed to cap the state's cost for monitoring and use of its call center at $12 million.
The news conference, on a Friday afternoon, occurred after at least two days of discussions about how to coordinate the release and set up a hotline. One email from an attorney in Atlanta congratulates everyone for pulling the plan together and notes how important it is to have a call center equipped to handle the expected flood of calls.
"Excellent work, everyone!" wrote attorney Jon Neiditz, a partner in Nelson Mullins Riley & Scarborough's Atlanta office, the morning of the news conference. "Having a working call center of well-trained professionals that can handle high volumes ... will make this go 10 times as well as it would have otherwise." He ends with "Congratulations (knock on wood)."
It didn't go well: The call center was unable to handle the flood of phone calls that day. A recorded message told people to call back. Officials scrambled to fix it. The following day, callers were provided the credit-monitoring activation code on a recorded message. By Monday, there was no need to call at all. Haley later blamed reporters for clogging the lines.
Experian suggested the state give a different explanation: saying the state and Experian were simply unprepared for the overwhelming response and had unintentionally created an "exaggerated sense of urgency" by omitting that people could register through Jan. 31. That date was nowhere on initial news releases.
News releases did give conflicting information on the call center. The Department of Revenue said in its release and in emails to reporters that it would operate 24/7, while the governor's release gave set hours. The website for logging into Experian also had issues. Complaints included a congressman's spokesman saying the site tried to charge him.
It also became clear the state had no idea whose data was actually compromised, despite the initial directions to call and find out.
At first, deputy Chief of Staff Ted Pitts told staff that residents should call the hotline to learn if their data was breached. In coming days, officials simply urged anyone who had filed since 1998 to sign up for monitoring.
The two-step process was only to keep taxpayers from another state from signing up.
"Due to the massive and unprecedented number of callers, we were able to get Experian to change their normal process to make it easier for South Carolinians to sign up," Haley spokesman Rob Godfrey said Friday.
The nature of the total number of 3.6 million people affected also changed. It wasn't just Social Security numbers, but other information culled from tax returns. By Oct. 30, the state warned the figure represented entire tax returns, exposing Social Security numbers, along with bank accounts and routing numbers, all unencrypted, plus the card numbers, unencrypted from returns older than 2003.
A Revenue chart on projected costs, dated Oct. 28, shows 3.95 million taxpayers were compromised. The chart specifies how many filers had dependents, whether they filed jointly, or, if they filed separately, married, single or widowed. Officials have not answered how the agency can provide such detail on the chart, but not know whose information was taken.
Businesses got added into the mix four days after the initial announcement, despite initially reporting they weren't believed to be affected. The state has said it can't tell which businesses were exposed, though an internal email gives a breakdown with very specific numbers of the accounts: 340,185 business sales accounts and 317,322 withholding accounts were compromised.
The firm Dunn & Bradstreet Credibility Corp. offered to provide business owners a credit monitoring service at no cost to either them or the state. But according to the emails, the company thought it would offer it for free "for a year or so," not for the life of the business, as Haley told reporters. The company agreed to provide it "for the life of the product" after she made the public promise.
"Thank you for doing this for life. That's what we told the press," wrote chief of staff Bryan Stirling.
"In the spirit of our conversation, our goal is to help these businesses out long term until this problem is resolved," company Chairman and CEO Jeff Stibel responded.
In the weeks following the announcement of the data breach, the governor held almost-daily press briefings on the situation as information changed.
"From the outset of responding to this unprecedented criminal attack on South Carolina, our highest priority has been protecting taxpayers and keeping them informed of each development in real time," Godfrey said. "At times that has meant making adjustments on the fly, but every adjustment has been made in the interest of informing and protecting people as quickly as possible."