Kansas data breach gives hackers access to millions of Social Security numbers

By Associated Press

July 21, 2017, 11:36 a.m. Updated July 21, 2017, 12:42 p.m.

TOPEKA — Hackers who breached a Kansas Department of Commerce data system in March had access to more than 5.5 million Social Security numbers in 10 states, along with another 805,000 accounts that didn't include the Social Security numbers, according to records obtained from the agency.

The department will be required to pay for credit monitoring for most of the victims of the hacking, according to records obtained through an open records request by the Kansas News Service.

Besides Kansas, the other states affected by the hack are Arkansas, Arizona, Delaware, Idaho, Maine, Oklahoma, Vermont, Alabama and Illinois.

The suspicious activity was discovered March 12 by America's Job Link Alliance-TS, the commerce department division that operates the system. It was isolated March 14 and the FBI was contacted the next day, according to testimony from agency officials to the Legislature this spring. The Kansas News Service filed its open records request May 24 and the commerce department fulfilled the request Wednesday.

A commerce department representative didn't immediately return a call Friday from The Associated Press seeking comment.

The data is from websites that help people find jobs, such as Kansasworks.com, where people can post resumes and search job openings. At the time of the hack, Kansas was managing data for 16 states but not all the states were affected.

After the hack, AJLA-TS officials called in a third-party IT company specializing in forensic analysis to verify the coding error the hackers exploited was fixed and to identify victims.

The documents show the commerce department also contracted with private companies to help victims, provide IT support and to provide legal services. The state is paying $175,000 to the law firm and $60,000 to the IT firm. The commerce department didn't provide the cost of the third contract.

Earlier testimony to lawmakers indicated a fourth company, Texas-based Denim Group, was contracted in April to review code and provide advice for improvements, which has since been implemented. The agency didn't provide documents related to that contract.

Kansas will pay for up to a year of credit monitoring services for victims in nine of the affected states. Delaware residents are eligible for three years of services because of contractual obligations to that state.

The agency said in May this was the first known breach of AJLA-TS' databases and the contractor's response exceeded requirements in Kansas law. However, the commerce department said it had sent about 260,000 emails to victims but couldn't contact all victims because it didn't have their email addresses. Kansas law does not require notification to the victims via post or telephone, the department said.

FreedomID Note: The call center for victims will only remain open through the end of July.

Mark Norman
Mark Norman