Kansas Commerce Agency Hack: Millions Of Social Security Numbers At-Risk

TOPEKA, KS — When hackers breached a Kansas Department of Commerce data system they had access to more than 5.5 million Social Security numbers along with another 805,000 accounts that didn't include the Social Security numbers, according to records obtained from the agency.

The suspicious activity was discovered March 12 by America's Job Link Alliance-TS, the commerce department division that operates the system. It was isolated two days later and the FBI was alerted the following day, according to testimony from agency officials to the Legislature this spring. Other states affected in the hack include Arkansas, Arizona, Delaware, Idaho, Maine, Oklahoma, Vermont, Alabama and Illinois.

The Kansas department must pay for credit monitoring for most of the victims of the hacking, according to records obtained through an open records request by the Kansas News Service. The Kansas News Service filed its open records request May 24 and the commerce department fulfilled the request Wednesday. (For more local news, click here to sign up for real-time news alerts. If you have an iPhone, click here to get the free Patch iPhone app.)

A commerce department representative didn't immediately return a call Friday from The Associated Press seeking comment.

The data is from websites that help people find jobs, such as Kansasworks.com, where people can post resumes and search job openings. At the time of the hack, Kansas was managing data for 16 states but not all the states were affected.

After the hack, AJLA-TS officials called in a third-party IT company specializing in forensic analysis to verify the coding error the hackers exploited was fixed and to identify victims.

The documents show the commerce department also contracted with private companies to help victims, provide IT support and to provide legal services. The state is paying $175,000 to the law firm and $60,000 to the IT firm. The commerce department didn't provide the cost of the third contract.

Earlier testimony to lawmakers indicated a fourth company, Texas-based Denim Group, was contracted in April to review code and provide advice for improvements, which has since been implemented. The agency didn't provide documents related to that contract.

Kansas will pay for up to a year of credit monitoring services for victims in nine of the affected states. Delaware residents are eligible for three years of services because of contractual obligations to that state.

The agency said in May this was the first known breach of AJLA-TS' databases and the contractor's response exceeded requirements in Kansas law. However, the commerce department said it had sent about 260,000 emails to victims but couldn't contact all victims because it didn't have their email addresses. Kansas law does not require notification to the victims via post or telephone, the department said.

The call center for victims, which can be reached at (844) 469-3939, will remain open through the end of July.

Image via Shutterstock