Crims snatch 5.5 million social security numbers from Kansas govt box
A server where there isn't any trouble. Do you suppose there is such a server, Toto?
Hackers have lifted not only the social security numbers and personal information of half a million jobseekers in Kansas – but also records on more than five million people from nine other US states.
The compromised database belonged to the Kansas Department of Commerce. The server was set up by the department's America's Job Link Alliance-TS to power several state-sponsored job search websites where people upload their resumes and personal information for employers to peruse. Kansas was basically managing this service for 16 US states, although not all were hit in the security breach.
A Freedom of Information Act request by journalists has this month shed more light on the cyber-break-in: although the infiltration was discovered on March 12, and the systems were locked down two days later, only now is the full picture coming into focus, particularly the fact that millions of people are affected.
While the residents of Kansas took a serious hit – 563,568 of them had their info harvested – the good folks of Alabama suffered the most, with 1,393,109 people's information compromised. Arizona had 896,370 people affected and 807,450 people in Illinois were exposed in the attack. In all, 5.5 million folks had their SSNs and personal data accessed; a further 805,000 just had their personal files exposed, according to state figures.
The full list of affected states in which SSNs were leaked is as follows: Arkansas, Arizona, Delaware, Idaho, Kansas, Maine, Oklahoma, Vermont, Alabama, and Illinois.
Kansas officials called in the FBI as soon as the intrusion was discovered and is now having to spend a pretty penny sorting out the mess. The state paid $235,000 to IT contractor firm SHI for the initial incident response, an unnamed amount to call-center operator Epiq to handle those affected, and $175,000 to lawyers Shook, Hardy and Bacon to cover the state's ass legally.
Kansas has no data breach notification laws. The state has said it will give a year of free identity theft protection to those affected, further adding to the bill. The 236,134 people affected by the hack in Delaware will get three years of coverage, in line with that state's laws.
To make life more complicated, Kansas officials say they don't have the contact details for everyone affected, and has only sent out 260,000 emails to victims. El Reg is happy to help get the word out. ®
Sponsored: Becoming a Pragmatic Security Leader