Hacker made off with over 5.5 million Social Security Numbers across 10 states

The PII of 6,367,467 users from 10 states was exposed when America’s JobLink Alliance Technical Support was breached, according to records obtained via an open records request.

When a Kansas Department of Commerce data system was breached back in March, a hacker accessed more than 5,561,803 Social Security Numbers from 10 states as well as PII from another 805,664 user accounts without SSNs. In total, that means 6,367,467 users’ information was exposed to the hacker. Those numbers were obtained by the Kansas News Service via an open records request.

Have you ever looked for a job via the online portal America’s Job Link Alliance (AJLA)? You might better recognize it under other names; Kansasworks.com is just one example. Workforce services in various states had contracts with the Kansas database contractor AJLA-TS (America’s Job Link Alliance Technical Support). Did you know AJLA says it retains the personal identifiable information (PII) of job seekers unless specifically asked for it to be deleted? If you found a job via AJLA, then it might be wise to ask for your data to be deleted.

AJLA-TS admitted in a press release back in March that a malicious third-party “hacker” exploited a vulnerability in the AJL code and was able to access millions of users’ information.

The actual hack occurred in February, but wasn’t discovered until March. AJLA admitted, “On February 20, 2017, a hacker created a job seeker account in an America’s JobLink (AJL) system. The hacker then exploited a misconfiguration in the application code to gain unauthorized access to certain information of other job seekers.” The code misconfiguration had been hanging around since October 2016.

The suspicious activity was discovered on March 12 and eliminated on March 14; the FBI was contacted on March 15.

The PII exposed to the hacker included users’ names, Social Security Numbers, dates of birth and so forth. Kansas was managing the data for 16 states at the time of the hack, but claimed the following 10 states were affected: Alabama, Arkansas, Arizona, Delaware, Idaho, Illinois, Kansas, Maine, Oklahoma and Vermont.

The numbers of victims’ SSNs first reported to be affected by the AJLA-TS hack don’t match up exactly with affected users’ SSNs which were obtained by the Kansas News Service. The real numbers of affected individuals are slightly lower:

Alabama: 1,393,109 SSNs exposed
Arkansas: 597,374 SSNs exposed
Arizona: 896,370 SSNs exposed
Delaware: 236,134 SSNs exposed
Idaho: 170,517 SSNs exposed
Illinois: 807,450 SSNs exposed
Kansas: 563,568 SSNs exposed
Maine: 283,449 SSNs exposed
Oklahoma: 430,679 SSNs exposed
Vermont: 183,153 SSNs exposed
“Across these 10 states, another 805,664 user accounts without SSNs were also affected.”
Although AJLA is required to ask users for SSNs, not everyone provides it. Most likely do because they believe it is required.

In May, Kansas Department of Commerce sent about 260,000 emails to Kansas’ 563,568 victims; KCUR said the rest were not contacted because the department claimed it didn’t have email addresses for all affected users and it is not required by law to call or send snail mail to victims.

Kansas agreed to pay for a year of credit monitoring services for affected victims in nine states; users in Delaware are eligible for three years of credit monitoring services. You don’t have long to take advantage of the offer as KCUR reported, “The call center for victims, which can be reached at (844) 469-3939, will remain open through the end of this month.” That leaves affected users about a week to take action.


Leave a Reply