Posted on July 21, 2017 at 7:10 PM
Kansas Department of Commerce data system has been hacked, leaving the hackers with access to more than 5.5 million Social Security Numbers, for which the agency will have to pay for credit monitoring services for all victims.
This information on the number of SSNs was previously unknown. It wasn’t until several news agencies requested an open record that the information has been brought into the daylight.
According to the Department of Commerce, half a million of the Social Security Numbers were from Kansas.
The data that has been breached was from the websites that helped people find jobs, like Kansasworks.com, a site where you can post your resume and search for job openings. At the time of the hack, Kansas has the data for 16 states, but not all of them were affected.
In addition to the high number of SSNs that were exposed, there was also around 800,000 more accounts that did not include Social Security Numbers.
The suspicious activity was discovered on March 12, isolated by the March 14 by the America’s Job Link Alliance-TS, the Kansas Department of Commerce division that operates the system. On March 15 they contacted the FBI.
AJLA-TS also looked for help from a third-party IT company that started an analysis that made sure that the coding error that gave the hackers access was fixed and found out which exact accounts were compromised.
Kansas News Service filed a request for records to be open on May 24 looking for details on the size of the attack. The Department of Commerce fulfilled the request on July 19. These documents showed that the agency and AJLA-TS made contracts with three private companies in order provide a call center for the victims of the breach that look for information as well as a law firm for investigative, legal and compliance services and an IT company for an incident response.
It is also indicated in the testimony to lawmakers that AJLA-TS contracted with another, fourth firm in April in order to review code and provide feedback for improvement. The company is the Texas-based Denim Group.
It seems that Kansas will have to pay for up to a year of credit monitoring services for nine of the ten states where the breach has affected the victims. The people in Delaware will have three years of services due to the contractual obligations to the state.
It is still unknown whether the insurance will pay for some of the costs of the state.
As the Department of Commerce stated in May, this is the first breach of the databases the AJLA-TS has experienced. Their solution for the hack, the provision of the credit-monitoring services is more than the Kansas state law requires a company to do.
But there are people who disagree, saying that a year long credit monitoring isn’t long enough of a protection for those affected since their names and birthdates have been exposed in addition to SSNs. Not only that, but many of the victims could not be aware of their information being in danger.
The Department of Commerce stated that they have sent 260,000 emails to the affected, but added that not all of the users had their email address.