Hackers who breached a Kansas Department of Commerce data system used by multiple states gained access to more than 5.5 million Social Security Numbers and put the agency on the hook to pay for credit monitoring services for all victims.
The number of SSNs exposed across the 10 states whose data was accessed has not been previously reported. The Kansas News Service, a collaboration of KCUR, Kansas Public Radio, KMUW and High Plains Public Radio, obtained the information through an open records request.
More than half a million of the SSNs were from Kansas, according to the Department of Commerce.
The data is from websites that help connect people to jobs, such as Kansasworks.com, where members of the public seeking employment can post their resumes and search job openings. Kansas was managing data for 16 states at the time of the hack, but not all were affected.
In addition to the 5.5 million personal user accounts that included SSNs, about 805,000 more accounts that did not contain SSNs were also exposed.
America’s Job Link Alliance-TS, the Kansas Department of Commerce division that operates the system, discovered suspicious activity on March 12, isolated it on March 14 and contacted the FBI the next day, according to testimony provided by agency officials to Kansas lawmakers this spring.
AJLA-TS officials also sought help from a third-party IT company specializing in forensic analysis. That analysis helped them verify that the coding error the hackers exploited had been fixed and to identify precisely which user accounts had been breached.
The Kansas News Service filed its open records request on May 24 seeking details about the extent of the breach and contracts related to the state’s response. The Department of Commerce fulfilled the request on July 19.
The documents show that the agency and AJLA-TS contracted with three private companies in the aftermath of the breach:
Epiq, of Kansas City, Kan., to provide a call center for victims seeking information about the incident and Equifax credit monitoring services.
Shook, Hardy and Bacon, a Kansas City, Mo. law firm, for “professional investigative, legal and compliance services.”
SHI, a New Jersey-based IT company, for “rapid deployment” incident response.
The state is paying the law firm $175,000 for services that run through Dec. 31, 2017. The IT contract cost approximately $60,000.
The cost of the Epiq contract isn’t known because the agency redacted pricing information from the documents it released. David Soffer, a spokesperson for the department, said Epiq considers the cost information proprietary.
Testimony to lawmakers indicates AJLA-TS contracted with a fourth company in April, Texas-based Denim Group, to review code and provide feedback for improvements, which has since been implemented. The agency didn’t provide documents related to this contract in fulfilling the open records request.
Kansas will pay for up to a year of credit monitoring services for victims in nine of the 10 affected states. Victims residing in Delaware are eligible for three years of services because of contractual obligations to that state, Soffer said.
Agency officials have not yet responded to questions about whether insurance will cover some of the state’s costs.
The call center for victims, which can be reached at (844) 469-3939, will remain open through the end of this month, Soffer said.
The Department of Commerce said in May that this is the first known breach of AJLA-TS’ databases. AJLA-TS’ response to the hack – providing credit-monitoring services – exceeds what is required by Kansas state law, a department spokeswoman said at the time.
The head of a California-based advocacy group, Privacy Rights Clearinghouse, told The Topeka Capital-Journal in May that one year of credit monitoring is not sufficient protection for victims of the hack, which also exposed names and birth dates, among other personal information.
The Capital-Journal also reported that hundreds of thousands of the Kansas victims may not be aware their accounts were breached.
The Department of Commerce said in May it had sent about 260,000 emails to victims, but added that it did not have email addresses for all users. Kansas law does not require notification to the victims via post or telephone, the department said.
When a recent theft from a Washington State University unit that handles data for state agencies on a contract basis exposed the personal information of 1 million people, the university notified victims by post.
That breach also included SSNs. Like Kansas, Washington State offered victims one year of free credit monitoring.